MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9
SHA3-384 hash: c3b45f4bb7e58a8b1ac366f32cb999f8f3e44437769c1d616f451e982a952f67f7b487159e93dc15ddf20f0bdfe433b9
SHA1 hash: 31d3b11b9e9f2d0f7b51223221060779a3808b6b
MD5 hash: be701a6374595e18df449fc8cbe5d19f
humanhash: zebra-chicken-potato-fanta
File name:168719827527387cf82250aacadd769835302d474642a03ce46adaa90ebbfbd74cee449cc9838.dat-decoded
Download: download sample
File size:3'245'568 bytes
First seen:2023-06-19 18:11:16 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 49152:pD23daq+vtnwypuexkF1VLtVlKAfltLsE28Nv0qnvsol5L7/lXT:pDpwypuexOhtrKAflJMwU81FT
Threatray 48 similar samples on MalwareBazaar
TLSH T158E5AD09B6A6DE67D3D8BB3EA06B51188731C6237712BB1F1B7D01753C927B409423EA
TrID 80.3% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
4.4% (.SCR) Windows screen saver (13097/50/3)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
3.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:base64-decoded dll


Avatar
abuse_ch
Malware dropped as base64 encoded payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
299
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400645/
Detection(s):
SecuriteInfo.com.Variant.Zusy.472162.8235.32726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64909a7329f34e03c0821a9e/reports/6de29587-9447-4234-bca1-690b88eaed81/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bd26c1ec-ae0b-43e1-acf1-07ca8c50d2c2
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1257627
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Sigma detected: Execute DLL with spoofed extension
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-06-19 18:12:07 UTC
File Type:
PE (.Net Dll)
Extracted files:
4
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rt5ldjgfomidwwzzv3imfs4pxtlw2jdnppaqn7ik2h5gvxx7sg4q._file
Verdict:
malicious
Similar samples:
32fcd31207c5e310957801fca81578c9dcba9ed3515809f62a7d50d93ad033db
3c89cb1c6c74747eadb40f158ea38751bd1a61acdc789b86f0acd0a107b689e9
46b7366f88fd44a82cd00e4979f676b464c9f7c0169450ff3dcc014d9650b517
6234c83cf8e46f8e09fed9cbf0456be735dc8640c2df0ee4734b7fa730e0b8eb
7474c59e2ced7b554bc03a190b33690f640a8f415b38fe21e2caa0a7a33215c9
9f09516333917e1e0f67e19b6cff1f3bd341f2931a9efbc05e4653a12743bd6b
cdb463c9aeff4b1d0090647e3baa27f32360301b0be912489f2b32e1f469650e
d9577a11fb93cf09c220f70d087e55eb4c7c5fed0537aebd8013e7e01a8d5d15
e75e7b4f4db640c54deb092dd373afa2b692a2078461cd0193e2b54b84c8250c
f3adace9b9f1d61d8752f65c0418a49595e347c417a17b14655d838993b74229
+ 38 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230619-ws6bbsgf4t/
Unpacked files
SH256 hash:
8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9
MD5 hash:
be701a6374595e18df449fc8cbe5d19f
SHA1 hash:
31d3b11b9e9f2d0f7b51223221060779a3808b6b
Link:
https://www.unpac.me/results/0b39032d-0bec-47d4-9d6e-ecd9f7d44f15/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

27387cf82250aacadd769835302d474642a03ce46adaa90ebbfbd74cee449cc9

DLL dll 8cfab1a4c573103b5b39aed0c2cb8fbcd76d246d7bc106fd0ad1fa6adeff91b9

(this sample)

  
Dropped by
SHA256 27387cf82250aacadd769835302d474642a03ce46adaa90ebbfbd74cee449cc9
  
Dropped by
MD5 eb745c5caee634db1432f62d09d254de
  
URLhaus
https://urlhaus.abuse.ch/url/2666485/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/400645/

Comments