MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f
SHA3-384 hash: 586325e1bc52ca3df360a16749257e8a02d38065b81b4fe4b301dbc57bcf3fb63ccb1ff27c22222aa4cd58285bcba668
SHA1 hash: cffc4b6789e4d9fab96746cfc4a602b107d1ff91
MD5 hash: af604970be664e62b3291e639def939b
humanhash: island-hot-aspen-mobile
File name:af604970be664e62b3291e639def939b
Download: download sample
File size:7'118'336 bytes
First seen:2022-08-20 09:38:16 UTC
Last seen:2022-08-20 12:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d812527b5988192695ea156eae610de1 (2 x RaccoonStealer)
ssdeep 98304:dj5VuFdRhLrdnM2ZhZqPLKEmvFd6Mbo+6Sf0aPEBJVd4VQC763JA0HjjxSjo:dj5VSb5nF8+EE6M5JyVd5qS6Gjd/
TLSH T19966232322950059E0E5CD76842B7EE571F6039B8B81EC3CBADB5EC129336F5E316A53
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af604970be664e62b3291e639def939b
Verdict:
Suspicious activity
Analysis date:
2022-08-20 09:41:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d05b3602-c640-4cbb-a920-5c98321d246a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299889/
Detection(s):
SecuriteInfo.com.Heur.Kelios.1.12376.8934.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Launching a process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6300abba22f7bd450b20911e/reports/e24ba7ef-38c7-4f3f-b715-e290f67e19d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/79348e12-eb96-4f66-bbcc-375aeace88e4
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1054758
Signature
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to evade analysis by execution special instruction (VM detection)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f/
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2022-08-20 09:39:18 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rniequoralflzdqenrp6vyfnid6kyr6qsggzar3kiac7fv44mz7q._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220820-lml1dshhgk/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unpacked files
SH256 hash:
e872053a6d56b87109f641532a01937711f1e76a3f65fd12c957ae0ee9b4fd92
MD5 hash:
51bac470f768cb94275771723a9dec31
SHA1 hash:
78049b7ff62e9f8e7a9942efe105620760eb7a2f
Link:
https://www.unpac.me/results/ca55566f-edb8-4ce9-bed2-5190e247a458/
SH256 hash:
8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f
MD5 hash:
af604970be664e62b3291e639def939b
SHA1 hash:
cffc4b6789e4d9fab96746cfc4a602b107d1ff91
Link:
https://www.unpac.me/results/ca55566f-edb8-4ce9-bed2-5190e247a458/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8b504851d102cabc8e046c5feae0ad40fcac47d0918d90476a4005f2d79c667f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2275010/
Cape
Cape
https://www.capesandbox.com/analysis/299889/

Comments


Avatar
zbet commented on 2022-08-20 09:38:19 UTC

url : hxxp://5.252.176.62/K2X2R1K4C6Z3G8L0R1H0/68515718711529966786.bin