MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9
SHA3-384 hash: 26354d3594827737fffec0a2446f559b602530b54e205d9f194f800ce30cfcdbf667e296f9250c87fb8ca79babe89a49
SHA1 hash: 7017b0087ebc433d1c3900517e59335241e84698
MD5 hash: 64f7ad73e1404e00eb49c853e0aeba2e
humanhash: steak-angel-bakerloo-michigan
File name:Soft.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:994'304 bytes
First seen:2022-03-06 12:24:34 UTC
Last seen:2022-03-06 13:41:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:Wjc6uHAW92zt/sWu2BSMCqDT3abjbmzLzLzSbTrT7u7zXzHgrMq:WQLH+tkWJ0c3abjbmzLzLzSbTrT7u7zi
Threatray 259 similar samples on MalwareBazaar
TLSH T165257C8D63753E31E52D66F2F10B524D488DBA48C6470E82BE814CDF3BD9174928BBB6
File icon (PE):PE icon
dhash icon e0c8cec6c6c6c0e0 (3 x BlackGuard, 3 x Formbook, 2 x MassLogger)
Reporter 3xp0rtblog
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
477
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247665/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.12555.28564.2178.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/99f880f5-c672-40eb-974f-26607688e4e3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/951405
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 12:26:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
BlackGuard
4e7a2d297395633bb98f5a8e2c51ed41bad9e7b8917eca00aa9b83517d16eb91
BlackGuard
4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f
BlackGuard
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
BlackGuard
63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7
BlackGuard
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
BlackGuard
87bcf35d7135ecbc956554098f411ef9bf7d20d0a7905442d2417f422d7479b3
BlackGuard
98a293de8d3eb34cee5e3e8edc9f472323d13a997bdbd2806ac1fe483f5efd14
BlackGuard
ba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6
BlackGuard
bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207
BlackGuard
+ 249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220306-plndlsccaj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d06cb02cbfee813ab730d0a45e38358b9b07e8c70d47656688ad2a06e2cd6cf3
MD5 hash:
9618689d6e8d3802270e8a46e2644a38
SHA1 hash:
8c13e61f126509a200f98beb3cdf5888c593f7de
Link:
https://www.unpac.me/results/b55d6ec8-7bf2-4e99-a8f6-a1be37d55f27/
SH256 hash:
877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9
MD5 hash:
64f7ad73e1404e00eb49c853e0aeba2e
SHA1 hash:
7017b0087ebc433d1c3900517e59335241e84698
Link:
https://www.unpac.me/results/b55d6ec8-7bf2-4e99-a8f6-a1be37d55f27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1500119223812730884
Cape
Cape
https://www.capesandbox.com/analysis/247665/

Comments