MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341
SHA3-384 hash: 126fee6dc63ab58cac8e958eedf1fe865d18be176612f641eebf2d179f70efcd1ae75805d57e0d8c33f93db174c8df46
SHA1 hash: 9d63950c73423991e2884392bc9682d836f9e031
MD5 hash: 19b20fc498d366730c470bacab083fe7
humanhash: one-orange-river-mockingbird
File name:file
Download: download sample
File size:12'722'472 bytes
First seen:2022-11-11 01:54:54 UTC
Last seen:2022-11-11 03:35:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 196608:8ZhuxUqr8arjzvp/lrMbq/zJhgRCyy8vMXkixKV8UrAPcADUXpmCt3Fe:ChSUs3rHx/lQbq7oTy8mkiICU0nAX73Q
Threatray 2 similar samples on MalwareBazaar
TLSH T1CCD6233BB258B13EC56B0B3246B39260587BB661A81A8C1B07F4491DDF7B6701F3F619
TrID 59.6% (.EXE) Inno Setup installer (109740/4/30)
22.5% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
5.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 1270cc92caccd496
Reporter jstrosch
Tags:exe signed

Code Signing Certificate

Organisation:Rocketship Apps, LLC
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-22T00:00:00Z
Valid to:2022-12-21T23:59:59Z
Serial number: 029776aa5671184c563a2033100df5c6
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c4cba8207ce200764a7758c370a24eaf33b99c4ed76ef84ac6a59eecb5c48208
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
floxif
Create hunting rule
ID:
1
File name:
3e65623fbd9769116ed2ce98313cc17bfd83e56dd48f51fc56e31cd0e414c5b1
Verdict:
Malicious activity
Analysis date:
2022-09-26 12:21:44 UTC
Tags:
opendir trojan floxif evasion socelars stealer loader rat redline
Link:
https://app.any.run/tasks/a6949b7e-d5e2-47c3-88a5-e275073439f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332193/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/636dab7a82dd9f2e265373b8/reports/91a23a8d-a64e-4ab8-9d2f-368def797785/overview
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f4ccd508-5078-4f09-89e3-62834877a721
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad.mine
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1110905
Signature
Found strings related to Crypto-Mining
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743602 Sample: file.exe Startdate: 11/11/2022 Architecture: WINDOWS Score: 28 89 Multi AV Scanner detection for submitted file 2->89 91 Found strings related to Crypto-Mining 2->91 12 file.exe 2 2->12         started        16 msiexec.exe 447 122 2->16         started        18 VC_redist.x64.exe 2->18         started        process3 file4 67 C:\Users\user\AppData\Local\Temp\...\file.tmp, PE32 12->67 dropped 93 Obfuscated command line found 12->93 20 file.tmp 2 15 12->20         started        69 C:\Windows\System32\vcruntime140_1.dll, PE32+ 16->69 dropped 71 C:\Windows\System32\vcruntime140.dll, PE32+ 16->71 dropped 73 C:\Windows\System32\vcomp140.dll, PE32+ 16->73 dropped 75 45 other files (none is malicious) 16->75 dropped 24 VC_redist.x64.exe 18->24         started        signatures5 process6 dnsIp7 83 d2l7sw81k13yby.cloudfront.net 13.224.103.92, 443, 49713, 49714 AMAZON-02US United States 20->83 85 13.224.103.95, 443, 49725 AMAZON-02US United States 20->85 87 2 other IPs or domains 20->87 53 C:\Users\user\...\vc_redist.x64.exe (copy), PE32 20->53 dropped 55 C:\Users\user\AppData\Local\...\is-TEKR6.tmp, PE32 20->55 dropped 57 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 20->57 dropped 59 C:\Users\user\AppData\...\PEInjector.dll, PE32 20->59 dropped 26 vc_redist.x64.exe 3 20->26         started        29 VC_redist.x64.exe 24->29         started        file8 process9 file10 61 C:\Windows\Temp\...\vc_redist.x64.exe, PE32 26->61 dropped 31 vc_redist.x64.exe 71 26->31         started        63 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 29->63 dropped 34 VC_redist.x64.exe 29->34         started        process11 file12 79 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 31->79 dropped 81 C:\Windows\Temp\...\wixstdba.dll, PE32 31->81 dropped 36 VC_redist.x64.exe 29 18 31->36         started        39 VC_redist.x64.exe 34->39         started        process13 file14 51 C:\ProgramData\...\VC_redist.x64.exe, PE32 36->51 dropped 41 VC_redist.x64.exe 36->41         started        43 VC_redist.x64.exe 39->43         started        process15 file16 46 VC_redist.x64.exe 41->46         started        65 C:\Windows\Temp\...\wixstdba.dll, PE32 43->65 dropped process17 file18 77 C:\Windows\Temp\...\wixstdba.dll, PE32 46->77 dropped 49 VC_redist.x64.exe 46->49         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341/
Threat name:
Win32.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 21:45:00 UTC
File Type:
PE (Exe)
AV detection:
8 of 26 (30.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rirhxadrjixoexyekqpsbr545yyghwlfiho6ilu4tfjd4lgxinaq._file
Verdict:
malicious
Similar samples:
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
86890f5d0dc15d61b23cef3a33334a22fd11a729d8831f3eb9d8b54ffb48fa98
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221111-cb476aaber/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/857dd6aa-ecc5-40e4-a733-888965f93141
Unpacked files
SH256 hash:
720b4d9ed198216af086937ff5fb0096c74fc3cbb08a90f92401aa676fdc0448
MD5 hash:
5cba791738a763c7af823454023799ef
SHA1 hash:
be4bcf66492589e7141bef13a1b3e4d43daac0f2
Link:
https://www.unpac.me/results/e40cf71b-1bc0-4359-8d25-482d60791960/
SH256 hash:
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341
MD5 hash:
19b20fc498d366730c470bacab083fe7
SHA1 hash:
9d63950c73423991e2884392bc9682d836f9e031
Link:
https://www.unpac.me/results/e40cf71b-1bc0-4359-8d25-482d60791960/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/332193/
  
URLhaus
https://urlhaus.abuse.ch/url/2407602/

Comments