MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa
SHA3-384 hash:	35225965c65b0d62deee0b5facbec69f5643c3772d79ad9de9a9b259d7db47760def057c8922fe5f2c0e91dca932941e
SHA1 hash:	7b6ac100289ddd57e620f6a5a5c5973ea8801a83
MD5 hash:	cb948b13a5046a692ec3ed8cc16a9566
humanhash:	golf-berlin-hamper-mars
File name:	070824-attachment.exe
Download:	download sample
File size:	134'056 bytes
First seen:	2024-08-22 19:27:09 UTC
Last seen:	2024-08-22 20:30:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	611809a6193e147d10a26a297044fb48
ssdeep	3072:TrXCQRkdMJJY/9SBfOtqFiU74JsU3NFj++++gp5yraMFTjEGL1fSy:QQB1Fiviq++++g3o0cb
Threatray	1 similar samples on MalwareBazaar
TLSH	T1F2D35B8A33B401E9E573863989954655DBB6F81507218FEF03B443AA2F233D18D3EF66
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
File icon (PE):
dhash icon	64e4d4d4ecf4d4d4 (2 x RedLineStealer)
Reporter	smica83
Tags:	ALIOT LLC exe HUN signed

Code Signing Certificate

Organisation:	ALIOT LLC
Issuer:	GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:	sha256WithRSAEncryption
Valid from:	2024-04-19T14:01:05Z
Valid to:	2025-04-20T14:01:05Z
Serial number:	46210667748673aa387a781c
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	9abfdd122f702acf0f4da806212985465e42e81446b40be567ca51a732e6dbf8
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

374

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

070824-attachment.exe

Verdict:

No threats detected

Analysis date:

2024-08-22 19:29:58 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/404e027e-128a-480f-ac5d-50ae66dfffa0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.MalwareX-gen.4508.25415.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c79143b2a4681a72967dc3

Tags:

Encryption Static Malware

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm microsoft_visual_cc overlay packed

Link:

https://www.filescan.io/uploads/66c791466575775f0489c840/reports/746dd403-769a-442f-8323-49564d8fdab5/overview

Verdict:

Malicious

Labled as:

Win64/Agent.EIR trojan

Link:

https://www.hybrid-analysis.com/sample/86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/fabec3d1-05ab-4cd1-a1f7-0cd4263e0ac6

Result

Threat name:

n/a

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1497663

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Score:

85%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q3mck6xfnzoyeife4p4ds3mujnpj4qltfnmk25dse5wxrlvcgl5a._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/240822-x6mxkstepc/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/817b492a-a7d3-491f-8042-1214a79a1dd1

Unpacked files

SH256 hash:

86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa

MD5 hash:

cb948b13a5046a692ec3ed8cc16a9566

SHA1 hash:

7b6ac100289ddd57e620f6a5a5c5973ea8801a83

Link:

https://www.unpac.me/results/83e3aa02-6ae2-4b19-8b44-17097e7b640b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

https://x.com/malwrhunterteam/status/1826702191186640901?t=ZlWOa6JS4FJbOKEkUXQk1g&s=19

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample