MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81
SHA3-384 hash: df046d6976abb7176373b9fb03901ddcea379f3a0bdc4fd8e5f0f75ec5f13f9c60b8f839efa72f023fa70095c7cf4307
SHA1 hash: 7522a1beadbd8e887bd4dee3cfc59e041b25af38
MD5 hash: 5fdf5a98c8c9faa14675e62763efe76a
humanhash: fish-kansas-carpet-pasta
File name:5fdf5a98c8c9faa14675e62763efe76a.exe
Download: download sample
File size:17'192'448 bytes
First seen:2023-04-18 11:33:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d82bfacbfe3bdcadcffeb0d84a141245
ssdeep 393216:FclAfuLZZhtDzQkTRU8Bf0cVHsthPmumSqw4rsInTrN9CQRPu1m:Fcef4HhtDzFTRU8h0dtc5g4/N9CQ48
Threatray 24 similar samples on MalwareBazaar
TLSH T1980733292925E53CF69C03706AFE1FB0246B4290ED291D1648FC6D3F3D3736F294A966
TrID 63.4% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
4.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon f0d4ae6d6ba2cc70
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
220
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fdf5a98c8c9faa14675e62763efe76a.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 11:39:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60253004-6e0a-4ea0-bf4e-e4c7fa2488dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.32244.27626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Sending an HTTP GET request
Sending an HTTP POST request
Creating a file
Creating a file in the %AppData% directory
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Searching for the window
Changing a file
Unauthorized injection to a recently created process by asynchronous procedure call
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/643e803148716a65fb204c46/reports/abd359ac-9feb-47ea-bf9e-7bb41178dd67/overview
Verdict:
Malicious
Labled as:
OnlineGames.HI.gen
Link:
https://www.hybrid-analysis.com/sample/8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1bd8b856-fa6a-439a-bf05-e963cd531eec
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215883
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Detected VMProtect packer
Early bird code injection technique detected
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has a writeable .text section
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Renames NTDLL to bypass HIPS
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848823 Sample: i3to9CMNEP.exe Startdate: 18/04/2023 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 7 other signatures 2->42 6 i3to9CMNEP.exe 34 2->6         started        process3 dnsIp4 26 203.135.100.141, 49700, 49703, 49704 CT-HANGZHOU-IDCNo288Fu-chunRoadCN China 6->26 28 default.cn.zb.wagbridge.ad.alibabacorp.com.gds.alibabadns.com 59.82.31.201, 443, 49699 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 6->28 30 2 other IPs or domains 6->30 16 C:\Users\user\Desktop\        335      .exe, PE32 6->16 dropped 18 C:\Users\user\AppData\...\lah8CD6tmp.dll, PE32 6->18 dropped 44 Early bird code injection technique detected 6->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->46 48 Writes to foreign memory regions 6->48 50 2 other signatures 6->50 11        335      .exe 2 27 6->11         started        file5 signatures6 process7 dnsIp8 32 gg.et-sb.com 11->32 34 dyz.laomox.com 11->34 20 C:\Users\user\AppData\Local\Temp\66abe1.tmp, PE32 11->20 dropped 22 C:\Users\user\AppData\Local\Temp\66a50a.tmp, PE32 11->22 dropped 24 C:\Users\user\AppData\Local\Temp\66a17f.tmp, PE32 11->24 dropped 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->52 54 Renames NTDLL to bypass HIPS 11->54 file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81/
Threat name:
Win32.Trojan.FlyAgent
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 20:12:02 UTC
File Type:
PE (Exe)
Extracted files:
683
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwbqr4gozeszfm6e57ntltxdgs4a3gvgcccbal7bjitsbgnsvoaq._file
Verdict:
malicious
Similar samples:
10835966177c277d70fae42109ddacccea06ab0c576709e9a68ec768840882ae
45982d6a7674a3ff4d2f28e95963d74729e0cb3059c08ef2e4c235182bf4591d
485a5454645f5d90d1b3097336b08dcaa9d4b49db9738a2f953e81081002600d
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
6ce171619dd97a51a8d5e6a4eaeea86f4fea6ed400c9e0a879b690b4fbd0a6b4
75b388003cc32b680abc3d9b41bc6c435af723de235eaab36a323fddcb906f62
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
d003e8350d5dc3823f7c415c4b901a24c5731307bb3d0f464b3630bb1e0cb2ba
e6902e5efb53a1de2af93809a5103603aa8115e0f80fa95ade2461947bff4c7e
faaf2d27ca3c7a332b9c9474b869931e614e77697d30703c4f2c02b14237b019
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
bootkit persistence upx
Link:
https://tria.ge/reports/230418-npgvkabb28/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Writes to the Master Boot Record (MBR)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Unpacked files
SH256 hash:
96c728b8a3bd241907d03c0dffd9c3e9f71866e53095849a911e38aa9f492a0b
MD5 hash:
e2e81d62c5deba9c8fc068fbb90c51e8
SHA1 hash:
ff107cdfc27a30ed5fa2cc577541360bce72f96b
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
6ecdba16b78d6c62c39da9fc6326211f8abfdd3a52275285ad950561eb09822f
MD5 hash:
fd3985ded39ce365f8dc7eb7eb9702ef
SHA1 hash:
d483583c0773027dc32a4e4c6be5de47f06c4e3c
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
d76b34af68ac5e104d7595eed4271e7b0acdd9644ebd3301f11db0d2f73f7772
MD5 hash:
a334c8c4f57d34f9181ce2de6a0d1bf9
SHA1 hash:
8900391b67dd0d1e4373b45fb350f32cc94cf1c3
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
5543eaf3231459ebe3e2b26bbd1a0d60183412bb8ebb8bc914a1ea4b7be13b28
MD5 hash:
a8e9c0e6c222d19de526996a3809f19a
SHA1 hash:
56b6186d3f0685f88bd8375c04e25b26d2244d8a
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
38b578b06dcb23ad05d6c288324e57cec91218f75c2277e695fe69fb64c6f149
MD5 hash:
483187574b7231832893fd17e26e3d02
SHA1 hash:
2f25efafb2f5ed77fb86e27b83406fd8f7ddf26b
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
f919f22a3f2dc20aa49328c95dde621bd42e719f528cfd4bcfe8ee56604ee143
MD5 hash:
f446c2deca38153ea1d0f317b2ce74f3
SHA1 hash:
07ce91d30069a52d373a21a304d9994abc737160
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
1e2bacf61ee74e7476dfc1fe4a92ba21e54a545b4340aa24110f00435a7fea29
MD5 hash:
33f81ae74a2b749df8755ea4fbaad759
SHA1 hash:
7fc6411650a4e8ca415133aac8836f6f3c1a143b
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
bb2be76c6903f383034893e7672e156ff1a3eba2e82ddfd29906a7079b0fb268
MD5 hash:
a5e1328627a6b1aabdfdc77820970367
SHA1 hash:
2b8ca04c57c40599a8aef35726070769a41aad9c
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
e4416da815e578d5568535c3e106fe364d96e43412ca4696dc760d311dd0ec11
MD5 hash:
65e93ecdcbf66ccfc9a2269fdd48dcbd
SHA1 hash:
0bae400130b5ce46c320105fe02333149265a609
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
SH256 hash:
8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81
MD5 hash:
5fdf5a98c8c9faa14675e62763efe76a
SHA1 hash:
7522a1beadbd8e887bd4dee3cfc59e041b25af38
Link:
https://www.unpac.me/results/08b08d98-9d69-4c8d-b7c6-6c545a9ffd2e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8d8308f0cec9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Disabler
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d8308f0cec92592b3c4efdb35cee334b80d9aa61084102fe14a272099b2ab81

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments