MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986
SHA3-384 hash: fdd9d448a7225b116161bce21a29d405951d5eff08ff3c8938f15c8ac724c7ff59420f58fc077f8765ef7b977a4fc083
SHA1 hash: 7b46d1b5032091fab0b5ea98d8440848264874ca
MD5 hash: 489974dbcbe6433278140a7c66655aa2
humanhash: mango-bluebird-aspen-equal
File name:489974dbcbe6433278140a7c66655aa2.exe
Download: download sample
File size:239'616 bytes
First seen:2021-12-12 18:50:28 UTC
Last seen:2021-12-12 20:33:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c8f313cbfd1daaf7c803ddde998ff8c
ssdeep 6144:NavIRPFGlAayP1fMkZ3D6XrJNC4x8EPY5e:q2ayP1fsJNuEPY
TLSH T1D7347D217690C0B7C11B203849DAD77577BABE214B35874B7B943B7D5F702E28A29B0E
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
489974dbcbe6433278140a7c66655aa2.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-12 18:53:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1172bd82-5caf-4b3e-9e9d-fdd937a4ceae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PCRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/213447/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38252564.11426.26377.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Сreating synchronization primitives
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1730/overview
Behaviour
MalwareBazaar
CursorPosition
SystemUptime
MeasuringTime
CheckScreenResolution
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware keylogger
Link:
https://www.filescan.io/uploads/61b644984b267126def0b6e7/reports/25ba90b2-4498-44d0-8ef1-5a3e887c4bfc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/860b03ad-a20e-4a6a-a47e-f4431f612e11
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/906036
Signature
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to capture and log keystrokes
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionality to modify windows services which are used for security filtering and protection
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-12-12 02:15:00 UTC
File Type:
PE (Exe)
Extracted files:
55
AV detection:
20 of 45 (44.44%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/211212-xhgewsdgdk/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Enumerates connected drives
Unpacked files
SH256 hash:
81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986
MD5 hash:
489974dbcbe6433278140a7c66655aa2
SHA1 hash:
7b46d1b5032091fab0b5ea98d8440848264874ca
Link:
https://www.unpac.me/results/3ffb8785-2905-4029-ac36-fc10328070b2/
Malware family:
Gh0st RAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/81c8407852e8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 81c8407852e8e6af7a2f31f6743c5d9eae11962a5a1682c15e663364b9a9b986

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1830421/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/213447/

Comments