MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8
SHA3-384 hash:	959332633241058d515a9b78a8d3e7a45fccbb7e09a3a24d6b1eb37c5678d24d256dad1da5e91e453ec40aa60ff68049
SHA1 hash:	8d0d763fc0143ca3a558be97839d1f8b9f2da783
MD5 hash:	1a1f83039d1b0b3ae515fff1c1062801
humanhash:	yankee-echo-kitten-harry
File name:	1688809443fb19dd60cf30e2c61634df2042c588f84882097e142d9e7b4ab1faebb974338a983.dat-decoded
Download:	download sample
File size:	12'800 bytes
First seen:	2023-07-08 09:44:07 UTC
Last seen:	2023-07-18 18:55:31 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep	192:OqGOImCk52zLT04H98+cBhGOnT1Vu4IW1CnhsJgQHs2hEsKXrdzLuhHh:OHO10zRdhcOqVu3nhqds2heXrUhHh
Threatray	117 similar samples on MalwareBazaar
TLSH	T16E42C81967E84738EABEAB339C7191510672FE49DD23DE7D09E095190E332448EE1F26
TrID	35.4% (.EXE) Win64 Executable (generic) (10523/12/4) 22.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 15.1% (.EXE) Win32 Executable (generic) (4505/5/1) 6.9% (.ICL) Windows Icons Library (generic) (2059/9) 6.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter	abuse_ch
Tags:	base64-decoded dll

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

Vendor Threat Intelligence

Detection:

DLAgent09 Downloader

Link:

https://www.capesandbox.com/analysis/411720/

Detection(s):

SecuriteInfo.com.Variant.Zusy.473104.24128.9319.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm cmd lolbin packed replace schtasks wscript

Link:

https://www.filescan.io/uploads/64a93021f415d4fc6f9e8cfd/reports/0c17040c-32fb-461c-811c-f96fcfabc9a0/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c1c9fa9f-cc16-46df-a3fa-cdcefc9b008d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8/

Threat name:

ByteCode-MSIL.Trojan.Zusy

Status:

Malicious

First seen:

2023-06-01 12:45:17 UTC

File Type:

PE (.Net Dll)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=rtjjqofovynrtr2kdgq2rylifw7fl6uclbtqnwowibefe5bej3ea._file

Verdict:

malicious

153d27bd441120fed477d629bdf1c9d8a8c5af1bc09b137241137a518153bb68

4364a60cc5f7039a24528452680648850d7b3f434c25892d1b3b5e5aa14898fb

6c798312f1aa6826f5e1dcc49ae54d4011d0e28245b3e6be0803dfd4381c6acb

77cc8d160dfa2efa3a75e52a620e3f8a6cc2665e94ed56aa1ddd97a61b59a5d1

888dc17f63eb7b61713327994a126c3ce5ca2b69e2643c8f6b7caa34235e972f

8ea0725c12db093e1fdb832954d88c79e17cca9557360173154d5e6ca278b80e

a91bc84dd26784dc82b1ee55b50dc3016738a09fa0f6cdd22ad053bc00dfa016

f99cffdfe64625c32f7b8a6911c915c45e3c06ccd3ed4f27b89a19dffac1245c

fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172

+ 107 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230708-lq2v1sdh34/

Unpacked files

SH256 hash:

8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8

MD5 hash:

1a1f83039d1b0b3ae515fff1c1062801

SHA1 hash:

8d0d763fc0143ca3a558be97839d1f8b9f2da783

Link:

https://www.unpac.me/results/160a6614-72b3-4f9c-acac-44e6724122ed/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8cd29838aeae1b19c74a19a1a8e1682dbe55fa82586706d9d640485274244ec8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	extracted_at_0x44b Create hunting rule
Author:	cb
Description:	sample - file extracted_at_0x44b.exe
Reference:	Internal Research

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_Reverse_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downloaders) containing reversed URLs to raw contents of a paste

Rule name:	MALWARE_Win_DLAgent09 Create hunting rule
Author:	ditekSHen
Description:	Detects known downloader agent

Rule name:	SUSP_VBS_Wscript_Shell Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon