MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41
SHA3-384 hash: 13a875a8341ff406bc27169265e9a988374e13b6f1d0779a1b7a80d4d6febb2e068eb73216eed35a34641d033dfd1e61
SHA1 hash: f5750e24a31bb1af9dfe29a29fb7e36b7e83fc17
MD5 hash: e67fc7beb4e8902b1b9b4d68db37f13d
humanhash: yankee-sodium-earth-jig
File name:setup.exe
Download: download sample
File size:13'824 bytes
First seen:2023-04-15 00:18:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 78b2451ed2a5402bd00bc9ed05a79452
ssdeep 192:BqkdVC08mYp/02t5v3mCIPWJ5jOjQzqOFAs+FOp1LLlIQM7E5hzwbiN81HrF:BqkbYp/0kvWCpJ5jLztZdHlIj7YNi
TLSH T12D520703BED146A1E37B4A3828B2A565C1BBB7749F20D78B97A41A1D09715E0DC31B2E
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Chainskilabs
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
US US
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-04-14 17:34:39 UTC
Tags:
installer loader smoke trojan evasion stealer vidar ransomware stop rat redline miner
Link:
https://app.any.run/tasks/21166ad2-918a-4366-9849-de248b2d96b4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382344/
Detection(s):
SecuriteInfo.com.Variant.Fugrafa.156913.11161.31027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Launching a process
Sending an HTTP GET request
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a file
Creating a window
Launching the process to interact with network services
Creating a file in the Windows subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm autoit greyware keylogger shell32.dll
Link:
https://www.filescan.io/uploads/6439ed76f4a1f6ede14ed162/reports/90ecd764-9eb9-4ad0-b2d3-d5162917f28a/overview
Verdict:
Malicious
Labled as:
Fugrafa.Generic
Link:
https://www.hybrid-analysis.com/sample/8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a73f3ef2-54d5-469f-a040-5f343e047445
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1214208
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Obfuscated command line found
Powershell drops PE file
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Writes a notice file (html or txt) to demand a ransom
Yara detected Ncat Network tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 847136 Sample: setup.exe Startdate: 15/04/2023 Architecture: WINDOWS Score: 80 112 gamejump.site 2->112 126 Multi AV Scanner detection for submitted file 2->126 128 Yara detected Ncat Network tool 2->128 10 setup.exe 2->10         started        13 msiexec.exe 200 100 2->13         started        16 wazuh-agent.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 138 Suspicious powershell command line found 10->138 140 Obfuscated command line found 10->140 20 powershell.exe 18 10->20         started        24 powershell.exe 17 10->24         started        27 powershell.exe 15 15 10->27         started        104 C:\Program Files (x86)\...\vista_sec.txt, Unicode 13->104 dropped 106 C:\...\local_internal_options.conf, ASCII 13->106 dropped 108 C:\Windows\Installer\MSI33F9.tmp, PE32 13->108 dropped 110 19 other files (none is malicious) 13->110 dropped 142 Writes a notice file (html or txt) to demand a ransom 13->142 29 msiexec.exe 1 3 13->29         started        31 msiexec.exe 1 13->31         started        signatures6 process7 dnsIp8 114 140.82.121.3, 443, 49700 GITHUBUS United States 20->114 116 github.com 140.82.121.4, 443, 49698 GITHUBUS United States 20->116 118 raw.githubusercontent.com 185.199.108.133, 443, 49699, 49701 FASTLYUS Netherlands 20->118 98 C:\ProgramData\hellext.exe, PE32 20->98 dropped 100 C:\ProgramData\hellext.dll, PE32+ 20->100 dropped 33 hellext.exe 20->33         started        36 conhost.exe 20->36         started        120 packages.wazuh.com 13.224.103.64, 443, 49697 AMAZON-02US United States 24->120 134 May check the online IP address of the machine 24->134 136 Powershell drops PE file 24->136 38 msiexec.exe 1 24->38         started        41 net.exe 24->41         started        43 conhost.exe 24->43         started        122 iplogger.com 148.251.234.93, 443, 49696 HETZNER-ASDE Germany 27->122 45 conhost.exe 27->45         started        47 icacls.exe 1 29->47         started        49 icacls.exe 1 29->49         started        51 icacls.exe 1 29->51         started        file9 signatures10 process11 file12 90 C:\...\StartMenuExperienceHost.exe, PE32 33->90 dropped 92 C:\ProgramData\...\erots.vbs, ASCII 33->92 dropped 94 C:\Users\user\AppData\Local\Temp\autBC.tmp, PE32+ 33->94 dropped 96 10 other files (none is malicious) 33->96 dropped 53 cmd.exe 33->53         started        56 cmd.exe 33->56         started        58 cmd.exe 33->58         started        68 9 other processes 33->68 132 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 38->132 60 net1.exe 41->60         started        62 conhost.exe 47->62         started        64 conhost.exe 49->64         started        66 conhost.exe 51->66         started        signatures13 process14 signatures15 130 Uses schtasks.exe or at.exe to add and modify task schedules 53->130 70 conhost.exe 53->70         started        72 powershell.exe 56->72         started        76 conhost.exe 56->76         started        78 conhost.exe 58->78         started        80 WMIC.exe 58->80         started        86 2 other processes 62->86 82 conhost.exe 68->82         started        84 conhost.exe 68->84         started        88 13 other processes 68->88 process16 dnsIp17 124 aka.ms 184.26.13.202, 443, 49703 AKAMAI-ASUS United States 72->124 102 C:\ProgramData\vc_redist.x86.exe, PE32 72->102 dropped file18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41/
Threat name:
Win32.Trojan.Doina
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 18:57:02 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qcjos3hcdjyohc72eunsqvd2qrkv6zdjccd4q32ktsjrj277nzaq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/230415-al64dscd96/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
AutoIT Executable
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Unpacked files
SH256 hash:
8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41
MD5 hash:
e67fc7beb4e8902b1b9b4d68db37f13d
SHA1 hash:
f5750e24a31bb1af9dfe29a29fb7e36b7e83fc17
Link:
https://www.unpac.me/results/3684c13a-e83e-4b72-8e28-4a59ed49d430/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8092e96ce21a70e38bfa251b28547a84555f64691087c86f4a9c9314ebff6e41

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382344/
  
URLhaus
https://urlhaus.abuse.ch/url/2609907/

Comments