MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
SHA3-384 hash: 6f3b618491c6d789b780458704fd9d4430a09179f3253af6b2133c78517f12d9fee9aea5079fbbdd5a18023de4884c78
SHA1 hash: 9ad963c5cc215104a727ab5c6e63385378b503a3
MD5 hash: 3d83eabe9ee2a4fbcf6431d78ab7a34e
humanhash: mexico-minnesota-zebra-east
File name:3d83eabe9ee2a4fbcf6431d78ab7a34e.exe
Download: download sample
File size:638'466 bytes
First seen:2021-07-08 15:03:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3768a75eba55604b789706b6a238d1c (2 x Formbook, 1 x RemcosRAT)
ssdeep 12288:QLyh5Wt60Cibp9t/iOWccO3RTWjSiuPBR5lpbTYwI:QLmH0N9WlkTGSBRS
TLSH T1D6D48D37F2D1413AF2222C384D66A144A817FD506E38ACE257F43D8C2EBB742785A5E6
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
zxcv.EXE
Verdict:
Malicious activity
Analysis date:
2021-07-08 14:12:33 UTC
Tags:
trojan stealer vidar raccoon loader rat azorult
Link:
https://app.any.run/tasks/fe33e5a0-e625-4fc1-8c90-2126ce3bfc64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170482/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d2fc4021-4066-4922-b01d-effc899b2e97
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813575
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 445990 Sample: iijBXGGICZ.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 49 cdn.discordapp.com 2->49 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Clipboard Hijacker 2->59 61 Machine Learning detection for sample 2->61 9 iijBXGGICZ.exe 1 24 2->9         started        14 Hjvbjtp.exe 2->14         started        16 sqlcmd.exe 2->16         started        18 Hjvbjtp.exe 2->18         started        signatures3 process4 dnsIp5 51 cdn.discordapp.com 162.159.130.233, 443, 49728, 49729 CLOUDFLARENETUS United States 9->51 47 C:\Users\Public\Libraries\...\Hjvbjtp.exe, PE32 9->47 dropped 63 Detected unpacking (changes PE section rights) 9->63 65 Detected unpacking (overwrites its own PE header) 9->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 9->67 73 2 other signatures 9->73 20 iijBXGGICZ.exe 2 9->20         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        69 Multi AV Scanner detection for dropped file 14->69 71 Machine Learning detection for dropped file 14->71 53 192.168.2.1 unknown unknown 18->53 file6 signatures7 process8 file9 43 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 20->43 dropped 45 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 20->45 dropped 27 schtasks.exe 1 20->27         started        29 reg.exe 1 23->29         started        31 conhost.exe 23->31         started        33 cmd.exe 1 25->33         started        35 conhost.exe 25->35         started        process10 process11 37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 33->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 12:51:57 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210708-wr9y5qqhc6/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
1fd7371f99d6d6c22279f208d56c7030cc4a7807c44eca52aceb56d7f67ce794
MD5 hash:
135e22fb2a688966b3e75e16441f9d18
SHA1 hash:
5364d1af468956d5b0341c5f43aaf674679f7a32
Link:
https://www.unpac.me/results/5a165f38-388d-426b-9732-24d4e773fc4c/
SH256 hash:
88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c
MD5 hash:
3d83eabe9ee2a4fbcf6431d78ab7a34e
SHA1 hash:
9ad963c5cc215104a727ab5c6e63385378b503a3
Link:
https://www.unpac.me/results/5a165f38-388d-426b-9732-24d4e773fc4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 88f79e83c95b1e666a1bcb387919b2dba6ebb0cdc6db14c7f6d1229728e40a6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/170482/

Comments