MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4
SHA3-384 hash: ab69fd7962baceb04ddf225fd801f65b0d2289bbedfbe16352c6511187789cc66f5cfc60df8e935d27c53303cdc56598
SHA1 hash: 37a092af42b298210fcf08bf12d664ca4f67a513
MD5 hash: 9938256510e61b1f2a26e276a139e879
humanhash: sweet-speaker-alpha-charlie
File name:9938256510e61b1f2a26e276a139e879.exe
Download: download sample
File size:1'784'920 bytes
First seen:2023-03-17 16:44:13 UTC
Last seen:2023-03-17 19:32:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5044024844498395d0e63ba22bbd9978 (2 x Adware.Generic, 1 x RemcosRAT, 1 x RedLineStealer)
ssdeep 49152:LVbvZFNcOr6yTI9pCDrXCuEa8OhJ3iQx9:RbRFNcOr6UI9pCDDhEa8mQQP
Threatray 383 similar samples on MalwareBazaar
TLSH T16E85F1CF19EBC461FC573336BDBD4A2AD5B87C62DB24E28BA5C467093463E91E530206
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 80c49a82d2929aaa
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:allmusicals.com
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-04-03T00:00:00Z
Valid to:2023-04-06T23:59:59Z
Serial number: 328e006a5d772b5197eb03439cbaf1bb
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: e3587b89efb6337ce9f8fe7ec48ca9edb98f33682c7aa08ab52a078aaab5c4a5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
217
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-17 12:50:17 UTC
Tags:
loader
Link:
https://app.any.run/tasks/619b0c65-2c82-47d1-8cbf-4c52526b7611

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375171/
Detection(s):
SecuriteInfo.com.Variant.Jaik.130102.1388.5537.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/73634/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/64149910e91ddba083cea453/reports/43b97f91-bd92-41bd-9938-f9183dd30c1c/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/b2b39892-43fa-47df-bbf6-534d8bb00de2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1196057
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 828954 Sample: 5ttIeN5tp5.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 88 33 Snort IDS alert for network traffic 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 3 other signatures 2->39 8 5ttIeN5tp5.exe 7 2->8         started        process3 dnsIp4 29 xtryf4a1nl34pryc.u8gdoruabeashvgbv 8->29 25 C:\Users\user\AppData\Local\...\6376156.dll, PE32 8->25 dropped 41 Writes to foreign memory regions 8->41 43 Allocates memory in foreign processes 8->43 45 Injects a PE file into a foreign processes 8->45 13 ngentask.exe 16 8->13         started        17 fontview.exe 8->17         started        19 ngentask.exe 8->19         started        file5 signatures6 process7 dnsIp8 31 185.246.220.89, 49697, 80 LVLT-10753US Germany 13->31 27 C:\Users\user\AppData\Roaming\...\bohx.exe, PE32 13->27 dropped 21 cmd.exe 2 13->21         started        file9 process10 process11 23 conhost.exe 21->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-03-17 16:45:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qd7mqci6sh3bdc6invmh5yc7mzkxk54irafcg6rdgdt54zmab3sa._file
Verdict:
malicious
Similar samples:
1b31323173493f6a6bd5e7eee14ea280bd08d0d8a6edc5834a36354629f5ce9d
2395406485367f123c11e0ad5b8a1ce58638921fb7e7acfdd06e341135b2d8df
309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d
4f8d6ffadd35a07194cc2739873ef459f246b5aeff1d88b5b10fe34887d4a786
530e60117af681ba636ba03254c06041e865afa3f9cf1596ced6d59d58bdb1b8
584c144d09b76173e49dcdf517526d26ef26959e447734612343d03d25145f5e
6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e
747bff52167a03f0db2458b3a67b8ea292044dafe4dd921f0c6613b7030987a1
bc2c5aac27aaaf644147f10e1ad1d43e01ad4cd63787923f6bc81def10067b4b
+ 373 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230317-t9dxashb63/
Behaviour
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
bbb95ec3af91f4b5900f11df3fa381f7ffafa50fdba8d7ff54b5237eaca40175
MD5 hash:
800303bff47fc048fa0caeb1c59e83c2
SHA1 hash:
8352392c9c20b39c4ccac55b76d96faeb5d62fdb
Link:
https://www.unpac.me/results/b89f79cd-aefb-4204-aeff-f80d514fd64e/
SH256 hash:
80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4
MD5 hash:
9938256510e61b1f2a26e276a139e879
SHA1 hash:
37a092af42b298210fcf08bf12d664ca4f67a513
Link:
https://www.unpac.me/results/b89f79cd-aefb-4204-aeff-f80d514fd64e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 80fec8091e91f6118bc86d587ee05f6655757788880a237a2330e7de65800ee4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/375171/
  
URLhaus
https://urlhaus.abuse.ch/url/2575268/
  
Delivery method
Distributed via web download

Comments