MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
SHA3-384 hash: d45dd40ce01c558b4868e0c8b5bd8d978d49a4ec536fd3b50614d12ebb053bd5187afd620c4f638852c22d39bc88214d
SHA1 hash: b9d95b55a1fcce11a68e309af2ac549b73634c15
MD5 hash: 619477a50eb1e8fedf93c113944763d0
humanhash: four-april-purple-two
File name:619477a50eb1e8fedf93c113944763d0
Download: download sample
File size:250'552 bytes
First seen:2022-09-02 05:31:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (527 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 3072:3FRLmrHvTaqLbItmu+2bkHZyjX44US7tJoWcvGToKdt4xNtmDTsAaEHK5N/IOkj/:VlgvTRHyJkHZys4US8KkwsAhmOO8m7W9
TLSH T1AA34122193D2A5B7E4AB8B701437EE276ABDE4302C284B071F513AAA3CF6711591DF91
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe signed

Code Signing Certificate

Organisation:Honningkages Hepatotoxemia
Issuer:Honningkages Hepatotoxemia
Algorithm:sha256WithRSAEncryption
Valid from:2021-09-02T11:56:07Z
Valid to:2024-09-01T11:56:07Z
Serial number: -0f8e7f755d617962
Thumbprint Algorithm:SHA256
Thumbprint: d13cab1d3c89c643a537cd4425706dbddc7566af01e708d05ab1a377608a09e9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
365
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
619477a50eb1e8fedf93c113944763d0
Verdict:
Malicious activity
Analysis date:
2022-09-02 05:34:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/35695b6f-604a-4f69-904f-95f74e6c8dac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307344/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.10398.2016.2988.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a file in the %temp% subdirectories
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36360/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6311951ae87b88e71bedaacc/reports/c06bf273-ba03-40bd-b44d-012fb0381601/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/325ff83d-7fd4-405e-a138-bcd975a30360
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1063694
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 696216 Sample: gb9YrG14vW.exe Startdate: 02/09/2022 Architecture: WINDOWS Score: 52 36 Multi AV Scanner detection for submitted file 2->36 38 Machine Learning detection for sample 2->38 7 gb9YrG14vW.exe 1 46 2->7         started        process3 file4 32 C:\Users\user\AppData\...\showauth.dll, PE32+ 7->32 dropped 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->34 dropped 10 powershell.exe 7->10         started        12 powershell.exe 7->12         started        14 powershell.exe 7->14         started        16 15 other processes 7->16 process5 process6 18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 12 other processes 16->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2022-08-31 13:55:56 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfmzvz4fvjpzdeayrawncbjuzoxivseqi7v35wqlemwvf6sulfca._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220902-f7q7ysghbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
MD5 hash:
3d366250fcf8b755fce575c75f8c79e4
SHA1 hash:
2ebac7df78154738d41aac8e27d7a0e482845c57
Link:
https://www.unpac.me/results/0f8218ba-7aa3-451f-8f7f-adb3e0fae472/
SH256 hash:
bb7e367bee3e91651d444db3c2f0997de914650547c66473bb201a2724d49196
MD5 hash:
6ea4aa54a7837e790c0b822dc8c27cd6
SHA1 hash:
1ed173163c496c482b36ef737fb6832e2b82cb6e
Link:
https://www.unpac.me/results/0f8218ba-7aa3-451f-8f7f-adb3e0fae472/
SH256 hash:
89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944
MD5 hash:
619477a50eb1e8fedf93c113944763d0
SHA1 hash:
b9d95b55a1fcce11a68e309af2ac549b73634c15
Link:
https://www.unpac.me/results/0f8218ba-7aa3-451f-8f7f-adb3e0fae472/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.17
Link:
https://yomi.yoroi.company/submissions/89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 89599ae785aa5f919018882cd10534cbae8ac89047ebbeda0b232d52fa545944

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2289059/
Cape
Cape
https://www.capesandbox.com/analysis/307344/

Comments


Avatar
zbet commented on 2022-09-02 05:31:04 UTC

url : hxxp://172.245.220.196/210/vbc.exe