MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
SHA3-384 hash: 2020f291ba7a26c7a1bb76be96c5f1c2c458655704773326ba3890e640ee6af818bbe17abf6cddd0a8cdfd8b859bceec
SHA1 hash: dcb9716f5749d17b7aa738791e4387ddf58844f2
MD5 hash: ed5e4fff5c537cfe6dd73b92fde90dd8
humanhash: friend-tango-violet-uniform
File name:8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
Download: download sample
File size:1'942'020 bytes
First seen:2022-11-02 12:07:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:t84Rqf1CF4dQJ6Na7MR+h/x8CVGzjJkAKMW:t9J6Na7r7GzjNW
Threatray 1'503 similar samples on MalwareBazaar
TLSH T1E89523417AC255B2DA621E320639BB71657C7D210F388BEB6390691EDE341C0EB35BB7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe update-hilifimyanmar-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
Verdict:
Suspicious activity
Analysis date:
2022-11-02 12:09:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2454dd95-fd85-4daa-b9cd-85164f60c17f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/327144/
Detection(s):
SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/47419/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63625da3a5db8d309cbc5c14/reports/222f840a-96dd-4fae-b2d2-6b3aaf297abc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/007e8da5-8799-462c-a49a-6a151d6640fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1103250
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 735911 Sample: CBmV89hw4k.exe Startdate: 02/11/2022 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for domain / URL 2->44 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 2 other signatures 2->50 7 ScanImage.exe 2->7         started        10 CBmV89hw4k.exe 26 2->10         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 file4 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Creates a thread in another existing process (thread injection) 7->62 17 dllhost.exe 1 9 7->17         started        34 C:\Users\user\Desktop\ScanImageui.dll, PE32 10->34 dropped 36 C:\Users\user\Desktop\ScanImage.exe, PE32 10->36 dropped 21 ScanImage.exe 6 10->21         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 13->64 24 MpCmdRun.exe 1 13->24         started        66 Query firmware table information (likely to detect VMs) 15->66 signatures5 process6 dnsIp7 38 update.hilifimyanmar.com 17->38 40 download.hilifimyanmar.com 17->40 42 2 other IPs or domains 17->42 52 System process connects to network (likely due to code injection or exploit) 17->52 54 Writes to foreign memory regions 17->54 56 Creates a thread in another existing process (thread injection) 17->56 26 userinit.exe 17->26         started        30 C:\Windows\HP\HP Imaging\ScanImageui.dll, PE32 21->30 dropped 32 C:\Windows\HP\HP Imaging\ScanImage.exe, PE32 21->32 dropped 28 conhost.exe 24->28         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f/
Threat name:
Win32.Trojan.DllHijacking
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 06:58:11 UTC
File Type:
PE (Exe)
Extracted files:
46
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rsfe3nurxr777u3z5kzhyazwmipvkomcabvrs3bzx2hu4pzj5bpq._file
Verdict:
malicious
Similar samples:
0b9f5277e6d3a78fa0b945cf233c515059680e1440ccc32b5595a7fe1907a6c6
4f21ab65d432de2cf873d496e6a54514e12c62f4cc12623cab84f001b7380cb2
660a687ba975d3b8dc2f69a3f019377eed0684a20638a6dc1c109499c6bd5e48
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
a5a4d88e2fe16d319aef6f7550ca2379d253a943d467dedc21e7ea3deb19410e
b0b851f99f1cc076735446c7604066a790017d08654f864851622781847ea92e
cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0
+ 1'493 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221102-pawwlsbfh6/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9fd5cb7f-25ee-4597-ac29-f6a750f6bd0f
Unpacked files
SH256 hash:
b02ad51f2aef09851916565745c4a07997f5c8b038961b724ae29a1caa4800c8
MD5 hash:
b67e928736cc5ae96637b590c16553c2
SHA1 hash:
c2c6f2ffb1496fe061da0195b71a9bf1d45a1e25
Link:
https://www.unpac.me/results/ca4abdde-74ba-43f8-ae12-21a33ccd2a26/
SH256 hash:
676fb007222dd568c9e3710dab874f114695519924dafba2d268f090ddbc4407
MD5 hash:
c253069b263bb29acc092024e015e93e
SHA1 hash:
e888f50124a86f1c8598eda635fcc1aefc7c1e54
Link:
https://www.unpac.me/results/ca4abdde-74ba-43f8-ae12-21a33ccd2a26/
SH256 hash:
efade7cf8f2caeb5a5d1cf647796975b0b153feac67217fccbdd203e473a4928
MD5 hash:
7b7e78fe4e6f99ff203627c5fb9c9878
SHA1 hash:
8d82bb3f64a8874b8161f03210d71483b8f26584
Link:
https://www.unpac.me/results/ca4abdde-74ba-43f8-ae12-21a33ccd2a26/
SH256 hash:
8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f
MD5 hash:
ed5e4fff5c537cfe6dd73b92fde90dd8
SHA1 hash:
dcb9716f5749d17b7aa738791e4387ddf58844f2
Link:
https://www.unpac.me/results/ca4abdde-74ba-43f8-ae12-21a33ccd2a26/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c8a4db691bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c8a4db691bc7fffd379eab27c0336621f553982006b196c39be8f4e3f29e85f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/327144/

Comments