MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494
SHA3-384 hash: 832c83ab1ca0c93093969d3933bc24a9865017736f83f0e711e4a92d9a7efa9e46fbc14f16937b8d11c862b1e75e272c
SHA1 hash: 94d3900dc22f1bdef21045bd805dc15cfe6009fd
MD5 hash: 6f76ab671ea0f978318f760d04edff6b
humanhash: juliet-lactose-skylark-nine
File name:6f76ab671ea0f978318f760d04edff6b
Download: download sample
File size:612'352 bytes
First seen:2022-07-01 03:10:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c98d4fa7196ed3f8b01ec442c48bd580
ssdeep 12288:gb5D/B2CjfwDkExgBYloHof1Q5f/nWST7SojhLIPBPjm:il/Bv1Exg2luBH
Threatray 2'311 similar samples on MalwareBazaar
TLSH T181D49E32625E6CE5D9330AF884015541DEB47C574770866F67B07A9AEFF32A09C3FAA0
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon a29cd8b494b23084 (1 x Formbook, 1 x DCRat)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284750/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23207/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe greyware obfuscated wacatac
Link:
https://www.filescan.io/uploads/62be65c787c294f96f8cdfbc/reports/e48c7807-7bb8-49cb-ad3d-1617890fe0bb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/047af6fc-384e-4bed-90f4-60250bed30fd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1022940
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Suspicious command line found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 655435 Sample: tAp1AgSBEM Startdate: 01/07/2022 Architecture: WINDOWS Score: 100 47 xload.ftuappz.com 2->47 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Potential dropper URLs found in powershell memory 2->63 9 tAp1AgSBEM.exe 1 2->9         started        signatures3 process4 signatures5 77 Very long command line found 9->77 79 Suspicious command line found 9->79 12 cmd.exe 1 9->12         started        15 cmd.exe 1 9->15         started        17 cmd.exe 1 9->17         started        19 conhost.exe 9->19         started        process6 signatures7 81 Suspicious powershell command line found 12->81 83 Uses ping.exe to sleep 12->83 85 Very long command line found 12->85 89 2 other signatures 12->89 21 powershell.exe 14 24 12->21         started        25 cmd.exe 1 12->25         started        27 DisplaySwitch.exe 15->27         started        29 powershell.exe 16 15->29         started        87 Encrypted powershell cmdline option found 17->87 32 cmd.exe 1 17->32         started        34 powershell.exe 16 17->34         started        process8 dnsIp9 49 cdn.discordapp.com 162.159.134.233, 443, 49740 CLOUDFLARENETUS United States 21->49 65 Uses schtasks.exe or at.exe to add and modify task schedules 21->65 67 Powershell drops PE file 21->67 36 schtasks.exe 1 21->36         started        69 Uses ping.exe to sleep 25->69 38 PING.EXE 1 25->38         started        71 Antivirus detection for dropped file 27->71 73 Multi AV Scanner detection for dropped file 27->73 75 Machine Learning detection for dropped file 27->75 51 162.159.133.233, 443, 49756 CLOUDFLARENETUS United States 29->51 43 C:\ProgramData\DisplaySwitch.exe, PE32 29->43 dropped 45 C:\ProgramData\inst.logf, data 29->45 dropped 41 PING.EXE 1 32->41         started        file10 signatures11 process12 dnsIp13 53 127.0.0.1 unknown unknown 38->53 55 192.168.2.1 unknown unknown 41->55
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494/
Threat name:
Win64.Downloader.Paph
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 05:25:05 UTC
File Type:
PE+ (Exe)
Extracted files:
13
AV detection:
14 of 26 (53.85%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rrpps452qp6pc5rtfnvknajummx3qioza5zu7hw7msspav6tmska._file
Verdict:
malicious
Similar samples:
260191afe0e066cf63b69262018f62ac4d3fa02cd2188440f9d678de671772ff
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
4491bb41f0c1b41f17964834db747576ef873f9d1a999e2b78f39e7798281ee4
5ddc2cf610e2d96fd8c46286bf28c201d3435f2e848302657376ff6feace226b
85270a75c7b07e917839e1d9e998dd29daa7768cebdb383dc6cb0f729866de6a
8d28f3c7f370b5d1bf1868e5de0e16d380ca93d583ca74c45fae83ba24f9c8aa
955bce112c0abfd0b1c695f51f3300bc2ff9cfc85bcae914abd435d564432c86
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
+ 2'301 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220701-dplhmsbdf7/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Blocklisted process makes network request
Executes dropped EXE
Malware Config
Dropper Extraction:
https://cdn.discordapp.com/attachments/982077202424279072/989138065769513000/log.inst.1
Unpacked files
SH256 hash:
d03de5b6a56b437636dc250caf86c142c4a7c7be7727ad8093574cdc77f5f7dc
MD5 hash:
2bacf04138d67076b501baba687edc5b
SHA1 hash:
c30747e4f212c7144abd0db55cd0e2c5fbe25414
Link:
https://www.unpac.me/results/4cb145ea-d142-4c3f-b69f-9013676af0d1/
SH256 hash:
8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494
MD5 hash:
6f76ab671ea0f978318f760d04edff6b
SHA1 hash:
94d3900dc22f1bdef21045bd805dc15cfe6009fd
Link:
https://www.unpac.me/results/4cb145ea-d142-4c3f-b69f-9013676af0d1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8c5ef973ba83fcf176332b6aa68134632fb821d907734f9edf64a4f057d36494

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2237324/
Cape
Cape
https://www.capesandbox.com/analysis/284750/

Comments


Avatar
zbet commented on 2022-07-01 03:10:43 UTC

url : hxxp://file.runespectrals.com/1/ucsvc.exe