MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f
SHA3-384 hash: 06e0a701433ad6fdd718f16384fe2d1211743dd96538fed175024b8362b25700f8f236719516575824280aa9edc43b70
SHA1 hash: b784df514d5c276de06a919a0b3c3364755e4714
MD5 hash: 82cf57370e124c4813d271a271b602e3
humanhash: johnny-harry-missouri-monkey
File name:82cf57370e124c4813d271a271b602e3.exe
Download: download sample
File size:6'160'672 bytes
First seen:2021-11-02 06:22:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:xZAHTsE2H2srchEYlX/A1z8Rqx2bezeSpqQKTrlM9n7emjthNgNQ7sgkP4+PP:xuTsvZclvA1Uq8eze4/n7bj3yNQ7ePZn
Threatray 562 similar samples on MalwareBazaar
TLSH T1AA563387B758CE87F3D261B92AE26A45D9E578A07CF0F1AC721FE66F59D04C0006462F
File icon (PE):PE icon
dhash icon e4f4a4c4c8ccc2e0 (2 x DanaBot)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82cf57370e124c4813d271a271b602e3.exe
Verdict:
No threats detected
Analysis date:
2021-11-02 06:38:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56a7bd00-aaa7-40ca-ac50-6fb297aaf860

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/201261/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Deleting a recently created file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6180d949bf51178dbe47cb30/reports/4a32f79f-b2f6-4165-ae22-a4848baaff81/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9c3d7a5-f6a8-4f93-9b10-d3c6fcbf5520
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/880986
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513422 Sample: 8tl4AWL3Qc.exe Startdate: 02/11/2021 Architecture: WINDOWS Score: 100 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 5 other signatures 2->64 7 8tl4AWL3Qc.exe 25 2->7         started        10 IntelRapid.exe 2->10         started        13 IntelRapid.exe 2->13         started        process3 file4 32 C:\Users\user\AppData\Local\...\zircon.exe, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\...\thracevp.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->36 dropped 38 3 other files (none is malicious) 7->38 dropped 15 thracevp.exe 3 18 7->15         started        20 zircon.exe 4 7->20         started        76 Query firmware table information (likely to detect VMs) 10->76 78 Hides threads from debuggers 10->78 80 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->80 signatures5 process6 dnsIp7 42 ip-api.com 208.95.112.1, 49742, 80 TUT-ASUS United States 15->42 28 C:\Users\user\AppData\...\jbxdlyufkhna.vbs, ASCII 15->28 dropped 44 Antivirus detection for dropped file 15->44 46 Multi AV Scanner detection for dropped file 15->46 48 Query firmware table information (likely to detect VMs) 15->48 56 2 other signatures 15->56 22 wscript.exe 12 15->22         started        30 C:\Users\user\AppData\...\IntelRapid.exe, PE32+ 20->30 dropped 50 Machine Learning detection for dropped file 20->50 52 Hides threads from debuggers 20->52 54 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->54 26 IntelRapid.exe 20->26         started        file8 signatures9 process10 dnsIp11 40 iplogger.org 88.99.66.31, 443, 49743 HETZNER-ASDE Germany 22->40 66 System process connects to network (likely due to code injection or exploit) 22->66 68 May check the online IP address of the machine 22->68 70 Query firmware table information (likely to detect VMs) 26->70 72 Hides threads from debuggers 26->72 74 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->74 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f/
Threat name:
Win32.Downloader.Convagent
Create hunting rule
Status:
Malicious
First seen:
2021-11-02 01:21:07 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
15691c73aab5780751badca9956f6a30a7f4e4a36bd246db8cc15e6a3e72c7ca
1d853f68927005c2158b9e5730d78b0c13e7306339a2807cc24fdbf82e37b647
42867a85488fa02a8586ae78c033bfd5c4324cef6395b7e15a483c378c34904b
4f27a3fe51d0494d18648a7279b2a368f86288148b7c1044d4d24ae7e4dfcca1
5096923b747f0cc35c156149f19587b53d62a111835ba0e0438b0c2ffbec2224
80bed6ab0b5b8714354e174beb3be2c10a749dd8133c2e74f3ebdb4936e6f411
819ed4f32ff14b2deb0e83663eec147e5f6118394ec016652cab6841afc76ad6
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
87eaf27b8e7e20b741a8e2e09f114a9faac9b8e9b315c2af875910ed708ce938
c45d421ef1cd52ccc0dfa8bbacd093af7fdca76d402c7d773e97a5b1f0c8522a
+ 552 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211102-g5gfeaggdj/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
99f0cfe502a251a57c6247dbeaf10048101a7d57e51cc6de9c78ac8175a3021d
MD5 hash:
39c5a1985943c94972b140be4617dc53
SHA1 hash:
f6c09020fae936efd8185377300fc2c8010f8d36
Link:
https://www.unpac.me/results/24557529-3926-4a31-bc26-4bea8453a7f9/
SH256 hash:
8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f
MD5 hash:
82cf57370e124c4813d271a271b602e3
SHA1 hash:
b784df514d5c276de06a919a0b3c3364755e4714
Link:
https://www.unpac.me/results/24557529-3926-4a31-bc26-4bea8453a7f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8798fc1226b6cbc166c1ade4c5e5d3472e30b078ccbeb399376df8b29d3dae8f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1735478/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/201261/

Comments