MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4
SHA3-384 hash: 9fa796d4fb34ce2fc31891c3e0bd10b05a05cabdd86591def81fbfe44b2115619f78e5ed5f9c486cca280ea0b678f0cc
SHA1 hash: d560fdaed07146a1b4fa519ae023bfa61c1594a6
MD5 hash: 897af5616bfd6af5b687876924f39ee3
humanhash: bluebird-william-texas-wolfram
File name:897af5616bfd6af5b687876924f39ee3
Download: download sample
File size:1'049'600 bytes
First seen:2023-10-24 04:53:37 UTC
Last seen:2023-10-24 06:34:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e957e1fac34ad27ace053a2e67ea5b97
ssdeep 12288:Tq73genXXHoA/of0L4enXXHoA/of0LOOR1:uZnR/eUhnR/eUOG
TLSH T170255D51E096113AFDD87A340092B1A53B02DE7F19429DBECCCBEACBC54626329D5C9F
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b36c53295199b865
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
306
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
metamorfo
Create hunting rule
ID:
1
File name:
897af5616bfd6af5b687876924f39ee3
Verdict:
Malicious activity
Analysis date:
2023-10-24 04:56:12 UTC
Tags:
autoit metamorfo trojan stealer
Link:
https://app.any.run/tasks/19b595d2-17a8-4d05-8ebd-82f6aa786631

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/455830/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.69973040.16065.8670.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd greyware lolbin
Link:
https://www.filescan.io/uploads/65374dea2b74b3f20dd9357e/reports/273f1e0f-2fec-4738-864b-6b7c2400ef9b/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mispadu
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c8ab9f0c-4213-4330-b89d-be3d40456473
Result
Threat name:
MailPassView
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1330994
Signature
Allocates memory in foreign processes
Command shell drops VBS files
Contains functionality to inject code into remote processes
Contains functionality to modify clipboard data
Found API chain indicative of sandbox detection
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Writes to foreign memory regions
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1330994 Sample: dGuYmJNS1K.exe Startdate: 24/10/2023 Architecture: WINDOWS Score: 100 39 m4gx.dns04.com 2->39 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 2 other signatures 2->49 11 dGuYmJNS1K.exe 2->11         started        signatures3 process4 signatures5 53 Obfuscated command line found 11->53 14 cmd.exe 1 11->14         started        process6 process7 16 cmd.exe 3 2 14->16         started        18 cmd.exe 2 14->18         started        22 conhost.exe 14->22         started        24 3 other processes 14->24 file8 26 wscript.exe 2 32 16->26         started        35 C:\Users\Public\bjk6l9.vbs, ASCII 18->35 dropped 51 Command shell drops VBS files 18->51 signatures9 process10 dnsIp11 41 m4gx.dns04.com 206.71.149.162, 443, 49737, 49738 NTT-COMMUNICATIONS-2914US United States 26->41 37 C:\wql455oi0\lp1a3, PE32 26->37 dropped 30 ef2dsio342ai.exe 26->30         started        file12 process13 signatures14 55 Found API chain indicative of sandbox detection 30->55 57 Contains functionality to inject code into remote processes 30->57 59 Writes to foreign memory regions 30->59 61 3 other signatures 30->61 33 attrib.exe 30->33         started        process15
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-10-24 04:54:05 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=riatxgnjxaxa6z5t4rzpoytqkkivkb4rmmi7cdfmlnu6q7z5dhka._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  9/10
Tags:
collection
Link:
https://tria.ge/reports/231024-fjjg7saf8x/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Unpacked files
SH256 hash:
8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4
MD5 hash:
897af5616bfd6af5b687876924f39ee3
SHA1 hash:
d560fdaed07146a1b4fa519ae023bfa61c1594a6
Link:
https://www.unpac.me/results/9fd40acb-2108-4f33-9eca-003ec1b4b842/
Malware family:
MailPassView
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a013b99a9b8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2724561/
Cape
Cape
https://www.capesandbox.com/analysis/455830/

Comments


Avatar
zbet commented on 2023-10-24 04:53:38 UTC

url : hxxp://84.54.50.102/FX_432661.exe