MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5
SHA3-384 hash: 594c57462283dad283c3237d575bd5aa03027500804d515a338593d8ba4d2f8c6dd9640a7edf60ee9b6e53702617a74c
SHA1 hash: 2d7a98a7d54e95e9e194479d4b94ca81be574efb
MD5 hash: fbba5773d8f282c455aeca48048fb480
humanhash: bacon-minnesota-spring-apart
File name:fbba5773d8f282c455aeca48048fb480
Download: download sample
File size:39'936 bytes
First seen:2022-07-23 03:44:12 UTC
Last seen:2022-07-23 04:48:44 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 384:LRDP88XRnUsky0q0uPLg/GbqK4EWQgdwjxH8QhE/o+akXt60XB5O4y7cU28:VT88XRUscKuGbqK4EehVt60XBfwz
Threatray 486 similar samples on MalwareBazaar
TLSH T1A603411B12EE7CE6C2BA4630737353D6C719DE006453E72D4AE07029A97F2877942BE9
TrID 88.8% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
0.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 414545c0d4c05503 (37 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter openctibr
Tags:dll OpenCTI.BR Sandboxed

Intelligence

File Origin
# of uploads :
2
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293571/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.40255.12140.25917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62db6f41ef2b0e63a833f8c8/reports/9c03352f-c872-4ce8-836b-62915590f45f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb0dfd11-59d0-434e-8580-8fe4db54b20c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1039604
Signature
.NET source code contains very large array initializations
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 672098 Sample: ftjpsg6mAo Startdate: 23/07/2022 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 15 .NET source code contains very large array initializations 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-07-22 12:37:29 UTC
File Type:
PE (.Net Dll)
Extracted files:
13
AV detection:
9 of 26 (34.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rq73s3xpbfdnilqivvfvcqiokwih6uimj2t6yzpvwt64efzrvp2q._file
Verdict:
malicious
Similar samples:
32b193aca4cf6061123fb809a9051b031891efa653f5c77960dcf803272ccd01
379f50b8d0acd67a2feeb157c3748bb0cf93564b328fbb140502f9c008420690
38cc28b2a0a069f2987a1b35cd761ce3290197cbdcf9a2a688fd9f5e8c09e77c
3aa05543a1d3b8e859b74626a86bae6d2704b276bf241f2fc234237caba9fb9f
41bc7a7c5c2a56f824426ce34edb7e36a185bbfadb27c75a488df741aea2971f
4f9c507cb0e09bad2b7db650affc35dfee1c6716d33153e9d53f5d78c9af37c8
a9c5050588f7b5d3a5c8806c8bf60d390b342f28c12c7bcfc58422855b02bf91
ded34cd2ed0760339482d95a23e470a57efb7d7ee0c407ca68ebcbcbfe5649fd
e66a9278b226c68a5bdcc5a85a2b894ceb1587ac93cc164f4c58c93a7c8e00cc
+ 476 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220723-ea3daabgh4/
Unpacked files
SH256 hash:
8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5
MD5 hash:
fbba5773d8f282c455aeca48048fb480
SHA1 hash:
2d7a98a7d54e95e9e194479d4b94ca81be574efb
Link:
https://www.unpac.me/results/c18ede05-4675-405d-8301-81a675df07e0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_EXE_Packed_Spices
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with 9Rays.Net Spices.Net Obfuscator.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DLL dll 8c3fb96eef0946d42e08ad4b51410e55907f510c4ea7ec65f5b4fdc21731abf5

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/293571/
  
URLhaus
https://urlhaus.abuse.ch/url/2259744/
  
Delivery method
Distributed via web download

Comments