MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be
SHA3-384 hash: 911c098ad52e98fe646652e2919568ffc41635a1d89d82556f93afb5e7e6e88e89811224a06e8257c1d16488e3f6ddf5
SHA1 hash: 40acca2f51a9f40ed4e671ebcbd0233c4149dc08
MD5 hash: 7d490b957c53094cb972141b082c0b41
humanhash: jig-comet-sad-cold
File name:7d490b957c53094cb972141b082c0b41.exe
Download: download sample
File size:457'728 bytes
First seen:2021-10-07 09:05:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7182b1ea6f92adbf459a2c65d8d4dd9e (5 x CoinMiner, 4 x RedLineStealer, 4 x DCRat)
ssdeep 12288:IbjDhu9TaseNlEP959axuflmi/fLCwQtvu:21eTaLNmD9axuf/LZ
Threatray 72 similar samples on MalwareBazaar
TLSH T14EA4F16AB2E41095DBF641F2D4911706EA70B4721B2573CF2BA453771B2B8CA9F3D3A0
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-06 23:04:16 UTC
Tags:
trojan rat redline loader stealer vidar evasion ficker opendir
Link:
https://app.any.run/tasks/5aeeb339-724c-4d8b-8a12-0e94476e506d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195753/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34126398.28157.2351.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Deleting a recently created file
Replacing files
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/615eb84bb95458900cddf756/reports/d83e7c34-0071-4eb0-a612-3b554453c9f0/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/866250
Signature
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498676 Sample: HuSyWqL0nL.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 45 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected BatToExe compiled binary 2->30 7 HuSyWqL0nL.exe 9 2->7         started        process3 file4 22 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32+ 7->22 dropped 10 cmd.exe 1 3 7->10         started        process5 process6 12 extd.exe 1 10->12         started        15 extd.exe 2 10->15         started        18 extd.exe 2 10->18         started        20 2 other processes 10->20 dnsIp7 32 Multi AV Scanner detection for dropped file 12->32 24 162.159.130.233, 443, 49753 CLOUDFLARENETUS United States 15->24 26 cdn.discordapp.com 162.159.135.233, 443, 49746 CLOUDFLARENETUS United States 18->26 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 19:43:50 UTC
AV detection:
17 of 45 (37.78%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
01b03e3685fc9fa6d7c59ddf16457c45c27e78cb09b9800e0689a23989c0d047
0284735896363aeae81486be25751824f82b385dd4b6150358ff9b68c36c71e2
0389ffef740d3bd365f2b699ac006b478a5346a1dc2383e10fd5152771641c0b
46fa3d475c4f406890b4c26589c6c937c58813c2ee5a3782621e1b78288e35e9
88c642b1fa43b77487f3916dd95ac236189971475c3289c745dc45a739e6453f
9cc0cf19e63fbf43ed381c94967a1c52a606452657cc05c17b27a1a07e2c5607
aa46ec291334b68e6c96fed8f2b88ce521dd87ff7535a5465537e7d2c36d1539
d61d33074ee4ad694efb6573a5f40923cd31c96d78a9a54934c11e0671766b8c
+ 62 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/211007-k19g6scddl/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be
MD5 hash:
7d490b957c53094cb972141b082c0b41
SHA1 hash:
40acca2f51a9f40ed4e671ebcbd0233c4149dc08
Link:
https://www.unpac.me/results/5c4d0d13-6493-4b02-ade2-d543eca02ea3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8d9ed28e4ff869fb32f2f4a97c12d40c43942e72a31e9c14c3ce6ddfa0eb63be

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/195753/
  
URLhaus
https://urlhaus.abuse.ch/url/1642879/
  
Delivery method
Distributed via web download

Comments