MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
SHA3-384 hash: 5fccf073ef4b7da200e37c6993234a864d3ed4245773f852a1433d30246d49d9747e9771583ebe6d92cf1064e2ca2554
SHA1 hash: 15bd36dd0a4bbbed1f9ed6c6d8de6736ec8bb80c
MD5 hash: b1ded25620bde4c3737fbcb9e7096e9d
humanhash: eleven-jupiter-leopard-juliet
File name:b1ded25620bde4c3737fbcb9e7096e9d.exe
Download: download sample
File size:3'583'246 bytes
First seen:2023-07-09 09:27:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ff847646487d56f85778df99ff3728a (4 x RedLineStealer, 3 x Nitol, 2 x Gh0stRAT)
ssdeep 49152:ON26FOnzGn6LJvqkwnpC+mWd6uIccB9G53WLM7i1rTCTZd0vlQaf:O06FOznLo0+Dd6uxcEmpT19Qaf
Threatray 30 similar samples on MalwareBazaar
TLSH T18FF52352F382C0B1E9AA01B905618A754E396D3257B6C5F7AFD07D2E8E343D0AB73706
TrID 68.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
10.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.1% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon fadadac2a2b8c4e4 (11 x Nitol, 2 x Amadey, 2 x AgentTesla)
Reporter obfusor
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
HK HK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b1ded25620bde4c3737fbcb9e7096e9d.exe
Verdict:
Malicious activity
Analysis date:
2023-07-09 09:28:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6b70f60-0ee5-4688-8004-0c894f5fcf12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/412705/
Detection(s):
MiscreantPunch.SingleXOR.EXE.7.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.BackDoor.IRC.Bot.4560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Creating a file
Creating a file in the Program Files subdirectories
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/96670/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control greyware lolbin obfuscated overlay packed shell32
Link:
https://www.filescan.io/uploads/64aa7da30e49d672f31ec73f/reports/8d02c86f-b72a-45d6-a427-bb16923b43c8/overview
Verdict:
Suspicious
Labled as:
Confidence_95
Link:
https://www.hybrid-analysis.com/sample/8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d11fa937-83a3-4f97-b87d-62cbd142c7db
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1271087
Signature
Found driver which could be used to inject code into processes
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1271087 Sample: eHgxyXej23.exe Startdate: 11/07/2023 Architecture: WINDOWS Score: 60 47 Multi AV Scanner detection for submitted file 2->47 49 Found driver which could be used to inject code into processes 2->49 51 May modify the system service descriptor table (often done to hook functions) 2->51 8 eHgxyXej23.exe 4 2->8         started        process3 file4 33 C:\Users\user\AppData\Local\...\irsetup.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 8->35 dropped 11 irsetup.exe 20 8->11         started        process5 file6 37 C:\Program Files (x86)\...\hookport_win10.sys, PE32 11->37 dropped 39 C:\un.exe, PE32+ 11->39 dropped 41 C:\Program Files (x86)\...\360PayInsure.exe, PE32 11->41 dropped 43 3 other files (none is malicious) 11->43 dropped 53 Sample is not signed and drops a device driver 11->53 15 iusb3mon.exe 8 11->15         started        17 un.exe 5 11->17         started        20 un.exe 3 11->20         started        signatures7 process8 dnsIp9 23 WerFault.exe 23 9 15->23         started        25 WerFault.exe 2 9 15->25         started        31 C:\Microsoft\iusb3mon.exe, PE32 17->31 dropped 27 conhost.exe 17->27         started        45 192.168.2.1 unknown unknown 20->45 29 conhost.exe 20->29         started        file10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2023-07-09 07:09:07 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rriszracxkkcj6ldkd3p3kiba7czisonovrpsq4vtdmtdpqq3d7q._file
Verdict:
unknown
Similar samples:
02a8afb13fb3fa71b1607c1c878322ab3894d6e3d646ac17782339cc6065ce45
1e7ed9a8dd2e513ace96352932af722d1c3c88641b97f8f59a50774ef1dc31ea
24612d672e37bb6e47a89202b9a442b94eb7a353aa899746621c0c15389ab4f5
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
6f325f597152d05729febea8dd2077cf68efff4abfe593f4cf633baf06e35b57
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
827349ef926486d692dec5158ac66fcc27ec6f628f759f1cb23814f50f93ab88
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
ba26e8891650d628be2c1ecba0da7c5f73623818da427da719d566dea725f546
dc4f19e5e4dc8fcc3c4ef23408bb2786351dbc4c6d68fd8f882bcbdf52211ff3
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/230709-lfbk3sca42/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
1a76e6bca3429cae6ce1af00dcbb00c54135f9f9024dd09fafaa0d8b2005f4db
MD5 hash:
d475b83fa74e99c83a25c09942bc31d5
SHA1 hash:
e3f82455c8a6f29884648eaaa517f756c62e81da
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
8f81bc92ee775ad5fa62ee1a504c45950be985e1f00006e630e913ca2e11abe1
MD5 hash:
54009012e012fa0496d452cccebdb192
SHA1 hash:
a682b66b666e86e4eabf8e0d28b9d98b18ae963a
Detections:
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
Parent samples :
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
SH256 hash:
3e31ac96cc9f23ca66777bcbf220ecf9440d0f95db2a2eb63cd21cd429215d90
MD5 hash:
24bc951a816d6d741ea952a68b32e727
SHA1 hash:
2e76fb07c23812d984348de09be52113f045c236
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
1a76e6bca3429cae6ce1af00dcbb00c54135f9f9024dd09fafaa0d8b2005f4db
MD5 hash:
d475b83fa74e99c83a25c09942bc31d5
SHA1 hash:
e3f82455c8a6f29884648eaaa517f756c62e81da
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
8f81bc92ee775ad5fa62ee1a504c45950be985e1f00006e630e913ca2e11abe1
MD5 hash:
54009012e012fa0496d452cccebdb192
SHA1 hash:
a682b66b666e86e4eabf8e0d28b9d98b18ae963a
Detections:
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
Parent samples :
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
SH256 hash:
3e31ac96cc9f23ca66777bcbf220ecf9440d0f95db2a2eb63cd21cd429215d90
MD5 hash:
24bc951a816d6d741ea952a68b32e727
SHA1 hash:
2e76fb07c23812d984348de09be52113f045c236
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
1a76e6bca3429cae6ce1af00dcbb00c54135f9f9024dd09fafaa0d8b2005f4db
MD5 hash:
d475b83fa74e99c83a25c09942bc31d5
SHA1 hash:
e3f82455c8a6f29884648eaaa517f756c62e81da
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
8f81bc92ee775ad5fa62ee1a504c45950be985e1f00006e630e913ca2e11abe1
MD5 hash:
54009012e012fa0496d452cccebdb192
SHA1 hash:
a682b66b666e86e4eabf8e0d28b9d98b18ae963a
Detections:
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
win_sinowal_w1
Create hunting rule
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
Parent samples :
ac2776e3263b66f68353ec62113742e5b045f92da733866a7952673df4b1c45a
583d8351de707ac2b46a2fb9fd9ee31056ad7a83b9fea10df5f3e5e46f890b92
7ce3b6378d4515a232cdbc3ed69c80f05236ae72ce868ea49dfa1353fd1da53d
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
SH256 hash:
3e31ac96cc9f23ca66777bcbf220ecf9440d0f95db2a2eb63cd21cd429215d90
MD5 hash:
24bc951a816d6d741ea952a68b32e727
SHA1 hash:
2e76fb07c23812d984348de09be52113f045c236
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
SH256 hash:
8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff
MD5 hash:
b1ded25620bde4c3737fbcb9e7096e9d
SHA1 hash:
15bd36dd0a4bbbed1f9ed6c6d8de6736ec8bb80c
Link:
https://www.unpac.me/results/dccda537-21a2-41bd-944f-bebadd42843a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c512cc402ba9424f96350f6fda90107c59449cd7562f9439598d931be10d8ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/412705/

Comments