MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a6fdfe5c2802b564b6d76d02fa183c360cd1a04e9cc7e8a0589a6a4a6a65892. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a6fdfe5c2802b564b6d76d02fa183c360cd1a04e9cc7e8a0589a6a4a6a65892
SHA3-384 hash: a338677dc649caafe8b6f13516e6c20e36b90fdc517a735d1dfc87b005247bdee620a1979726b5318f54d6ee5b4c4c2a
SHA1 hash: cb0a7ec7940bb05f2655af0a75b20f5a71199da1
MD5 hash: 93bf648e0a7619b5c97bf395257e8cba
humanhash: timing-foxtrot-illinois-fillet
File name:MsSgrmLpac.exe
Download: download sample
File size:23'307'776 bytes
First seen:2023-02-14 13:30:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0ea7b7844bbc5bfa9bb32efdcea957c (61 x Sliver, 17 x CobaltStrike, 12 x AsyncRAT)
ssdeep 393216:P3aL2BsgB7XPAPd3JXTofF4xnkkNTUkwfClRZOt/5srmSMY2fJvuTDUdd/M4FjpO:PK87TP
TLSH T16B374AC3F854B1A4D496E3728D2551A1BA317C8A2B31A7E71A91FF681F327E49F72700
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter iamdeadlyz
Tags:crashreportcdn-dot-com exe SpacePearl


Avatar
Iamdeadlyz
From spacepearl.io (fake P2E game - plagiarised contents from multiple sources - fake team)
Malicious traffic to C&C: crashreportcdn.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MsSgrmLpac.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 13:41:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8f4d8a29-6304-49b6-872a-551b5063d79b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
DNS request
Sending a custom TCP request
Launching a process
Running batch commands
Reading critical registry keys
Changing a file
Setting a global event handler for the keyboard
Stealing user critical data
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/69583/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Suspicious
Labled as:
HackTool/Sliver.a
Link:
https://www.hybrid-analysis.com/sample/8a6fdfe5c2802b564b6d76d02fa183c360cd1a04e9cc7e8a0589a6a4a6a65892
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1174449
Signature
Bypasses PowerShell execution policy
Drops PE files to the startup folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win64.Infostealer.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-14 13:33:56 UTC
File Type:
PE+ (Exe)
Extracted files:
6
AV detection:
3 of 26 (11.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rjx57zocqavvms3no3ic7imdynqm2gqe5hgh5cqfrgtkjjvglcja._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230214-qsdy7ada6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Reads user/profile data of web browsers
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8a6fdfe5c280/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/8a6fdfe5c2802b564b6d76d02fa183c360cd1a04e9cc7e8a0589a6a4a6a65892

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present

File information

The table below shows additional information about this malware sample such as delivery method and external references.

253e3a339c2aa3b7beae2b01862658882839e2d0a9bcd374cfa64c6222065e71

Executable exe 8a6fdfe5c2802b564b6d76d02fa183c360cd1a04e9cc7e8a0589a6a4a6a65892

(this sample)

  
Dropped by
SHA256 253e3a339c2aa3b7beae2b01862658882839e2d0a9bcd374cfa64c6222065e71
  
Dropped by
SHA256 4e2201550f99defa680ab58ced545a76b5b555f779f3478b13f556d35d5e186c
  
Dropped by
SHA256 5eab59869728c98ff7d30af4033958c5da68d2403dfdbbeecb0c2cc03f69712f
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2539530/
  
Dropped by
MD5 26cd0ff7a3b8e92ce4b1f755870649bd

Comments