MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a
SHA3-384 hash: 4494f0347834700f44ee8dbf5a69ac0a71851a881d07d60e50fc3e2818ffa4c39a400200c13e4ba6b11a7b6f9787d95f
SHA1 hash: 5f95004ff602b6171f92aab9881bd04704ce9199
MD5 hash: f132c1b8499280c53601ccda5ba90878
humanhash: sodium-red-oscar-blue
File name:f132c1b8499280c53601ccda5ba90878
Download: download sample
File size:1'105'424 bytes
First seen:2022-03-02 19:31:46 UTC
Last seen:2022-03-02 22:39:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 86f389a618f3916b1cff24eabbba22b4
ssdeep 24576:dA+7SnfEJkroXQDgoDSvCls2jDEcOVKEz1:SW+EJAogvf9DDOI2
Threatray 464 similar samples on MalwareBazaar
TLSH T13635333877275910C7FDE276AC395707F806B6DD97BA43267408A02ADD4F016EBE218E
Reporter zbetcheckin
Tags:32 exe signed

Code Signing Certificate

Organisation:S-Data Swordfish ASWORDFISH-530R-Y 250
Issuer:S-Data Swordfish ASWORDFISH-530R-Y 250
Algorithm:sha1WithRSAEncryption
Valid from:2022-03-01T11:44:43Z
Valid to:2032-03-02T11:44:43Z
Serial number: 426a8b9421e87cb14e42c7dafaf45277
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a65953eb3dd9a28c742b9c35270642fa6f7a56aeac66283d7eb53713c58ade83
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2022-03-02 14:00:16 UTC
Tags:
evasion trojan socelars stealer loader rat redline vidar
Link:
https://app.any.run/tasks/4d136add-ea56-4adc-bcd8-63d66657739f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246490/
Detection(s):
SecuriteInfo.com.ArtemisF132C1B84992.11638.22706.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/621fc6380cd58dbd9264e192/reports/d94f8bf5-ce30-47c0-b343-ad2caeb2ee0d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
EClipper
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6334b993-18a9-4823-a0a9-1d8a89c8d2d1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/949464
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a/
Threat name:
Win32.Trojan.GenCBL
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 13:38:05 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21f7623006b248709a14cbfc507187fd44a8ada2d0dd465faa79317ece02dc78
3db995ab386682dabab33188fd255f3930e4791bbfc7b9f494f365516e76ade1
3ea20ab6ac71f7252d2f3c4ccac94303b30ab139b812c66b69da08d6969dbe87
3eb8443ed0a6200a3e8af4ea1b0367a999ff30e38b54ddaf14ee47d7a243efb7
5e5ba3f528a0725d55becd3493cb94486e9c27537d7b6f3a1b0edc78dc4baec8
bcccbb4a45aa84525441007b69c203ea64ef57fa9ca73fb952d83af38c8dab88
+ 454 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/220302-x8yrvsgag3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Unpacked files
SH256 hash:
c6b1d1fe9350d2bd5464cbe0e807c3e72791bec072966510c911cdb205c2ff32
MD5 hash:
0a0c7ab638cb9e9f73f2da489b4589ab
SHA1 hash:
04b8cb87a3d8664862bde07954013c9b207fb641
Link:
https://www.unpac.me/results/1831f5d4-234f-47f3-b613-0d05545a67c4/
SH256 hash:
8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a
MD5 hash:
f132c1b8499280c53601ccda5ba90878
SHA1 hash:
5f95004ff602b6171f92aab9881bd04704ce9199
Link:
https://www.unpac.me/results/1831f5d4-234f-47f3-b613-0d05545a67c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.36
Link:
https://yomi.yoroi.company/submissions/8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8b3e4b4ebbb727564e6aea41a152f83c45ea37fbf2e26db6ce458083252a950a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2071260/
Cape
Cape
https://www.capesandbox.com/analysis/246490/

Comments


Avatar
zbet commented on 2022-03-02 19:31:48 UTC

url : hxxp://duoproc.net/2/data64_5.exe