MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackShades


Vendor detections: 15


Intelligence 15 IOCs YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b
SHA3-384 hash: b349d4fe783a67ada055469feeb8b8e7001215cf2d5ccaa917b8f85cbf683e6d803eb6d78c228376ba4cdc6f136ac67f
SHA1 hash: fcff4389a71cc7284d4759832b54301e41e1e772
MD5 hash: 1e6b5a0ca07280ff40486de4efd3ae49
humanhash: sad-undress-mississippi-april
File name:8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b
Download: download sample
Signature BlackShades
Create hunting rule
File size:397'744 bytes
First seen:2023-11-07 14:59:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 16d0bc68265a0d26b9c5bed16ec01661 (3 x BlackShades)
ssdeep 6144:oitLMK4x+Ppo9MqOd+QmWk8PIyZomw3jtWQmyrxL1ROwm/fOBBF2dl5TP:oiLMbUO90+QmWk8PTSmIxuJ4FI
TLSH T11F84121698EE9231E25A0BB05FE544E4D43EFD3335D2580FE781AB8C26A0E9F505277B
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter adrian__luca
Tags:BlackShades exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
366
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BlackShades Samples.zip
Verdict:
Malicious activity
Analysis date:
2023-11-07 16:35:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/58dee98e-8f82-406d-baa9-3e8a85f2bd2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Dpbnwrki-7009077-0
Create hunting rule

Win.Malware.Drrhksci-6853842-0
Create hunting rule

Win.Trojan.Agent-353486
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Enabling the 'hidden' option for analyzed file
Running batch commands
Creating a process with a hidden window
Setting a keyboard event handler
DNS request
Launching a process
Firewall traversal
Enabling autorun
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm darkkomet overlay packed
Link:
https://www.filescan.io/uploads/654a50f3641154c7e3ed59b5/reports/665d21f8-b695-4710-b9c1-ebd91be7c6d6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07f0d670-250e-460f-8713-5e232c2a87c4
Result
Threat name:
Blackshades, Poisonivy
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1338298
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Queries disk data (e.g. SMART data)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Yara detected Blackshades RAT
Yara detected Generic Dropper
Yara detected Poisonivy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1338298 Sample: Ii6Na0Xzq4.exe Startdate: 07/11/2023 Architecture: WINDOWS Score: 100 45 j8p.no-ip.info 2->45 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for URL or domain 2->53 55 Antivirus detection for dropped file 2->55 57 8 other signatures 2->57 9 Ii6Na0Xzq4.exe 2->9         started        signatures3 process4 signatures5 59 Contain functionality to detect virtual machines 9->59 61 Queries disk data (e.g. SMART data) 9->61 63 Injects a PE file into a foreign processes 9->63 12 Ii6Na0Xzq4.exe 4 3 9->12         started        process6 dnsIp7 47 j8p.no-ip.info 212.117.48.248, 81 CGATES-ASLT Indonesia 12->47 43 C:\Users\user\AppData\Roaming\Swat.exe, PE32 12->43 dropped 67 Creates an undocumented autostart registry key 12->67 69 Installs a global keyboard hook 12->69 17 cmd.exe 1 12->17         started        20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 cmd.exe 12->24         started        file8 signatures9 process10 signatures11 49 Uses cmd line tools excessively to alter registry or file data 17->49 26 reg.exe 1 1 17->26         started        29 conhost.exe 17->29         started        31 conhost.exe 20->31         started        33 reg.exe 1 20->33         started        35 conhost.exe 22->35         started        37 reg.exe 1 1 22->37         started        39 conhost.exe 24->39         started        41 reg.exe 1 24->41         started        process12 signatures13 65 Modifies the windows firewall 26->65
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b/
Threat name:
Win32.Trojan.Dacic
Create hunting rule
Status:
Malicious
First seen:
2023-10-19 04:11:56 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
33 of 38 (86.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rtz6b3isa3qtstmfaf5a6ik3eb6mnmfr55ws7g25ewssuxlqi2nq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit evasion persistence upx
Link:
https://tria.ge/reports/231107-sdaz4ace47/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Writes to the Master Boot Record (MBR)
UPX packed file
Modifies Installed Components in the registry
Modifies firewall policy service
Unpacked files
SH256 hash:
f915eb69ae8c4daae23b5da2ea610c73da424d04f3a669feacc295468ff2ad66
MD5 hash:
19852ebd318207db6e2fa2e519e0c828
SHA1 hash:
80d078dc14ed2e57700bf3d222b78ebe9376ef0f
Detections:
win_blackshades_w0
Create hunting rule
Link:
https://www.unpac.me/results/4ded79fc-cf04-4865-9e44-bcc364095c70/
SH256 hash:
8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b
MD5 hash:
1e6b5a0ca07280ff40486de4efd3ae49
SHA1 hash:
fcff4389a71cc7284d4759832b54301e41e1e772
Link:
https://www.unpac.me/results/4ded79fc-cf04-4865-9e44-bcc364095c70/
Malware family:
BlackShades
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8cf3e0ed1206/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8cf3e0ed1206e1394d85017a0f215b207cc6b0b1ef6d2f9b5d25a52a5d70469b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackShades_25052015
Create hunting rule
Author:Brian Wallace (@botnet_hunter)
Rule name:BlackShades_3
Create hunting rule
Author:botherder https://github.com/botherder
Description:BlackShades RAT
Rule name:BlackShades_4
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:BlackShades
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MALWARE_Win_BlackshadesRAT
Create hunting rule
Author:ditekSHen
Description:BlackshadesRAT / Cambot POS payload
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:RAT_BlackShades
Create hunting rule
Author:Brian Wallace (@botnet_hunter)
Description:Detects BlackShades RAT
Reference:http://blog.cylance.com/a-study-in-bots-blackshades-net
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:win_blackshades_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.blackshades.
Rule name:win_blackshades_w0
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments