MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
SHA3-384 hash: 35454bfdd7173d845be28a3e2af50389c1e5fe0a17808fc934417484b4679eb5595d8e444641a4c06cff87f020ff627c
SHA1 hash: 1bbb25a55292d014a4649f80b8739692948f4f84
MD5 hash: 98e6c4655b9603d6b34d5ebb046a24f8
humanhash: sad-glucose-paris-vegan
File name:98e6c4655b9603d6b34d5ebb046a24f8.exe
Download: download sample
File size:409'600 bytes
First seen:2021-02-22 19:18:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d (5 x Gh0stRAT, 2 x PurpleFox, 1 x YoungLotus)
ssdeep 6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0scVC:3ux9g5F6U2WOWczLygAzN6fJ1
Threatray 27 similar samples on MalwareBazaar
TLSH 959412A23BC70655C34CB6B1CCA48B28039DD3E41E6D900FBE306959FD652ED9D3AE46
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118401/
Detection(s):
Win.Keylogger.Deepscan-7603977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the drivers directory
Loading a system driver
Creating a window
DNS request
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614552
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356285 Sample: xjvKgPDi5r.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 6 other signatures 2->44 7 Qhyqh.exe 2->7         started        10 xjvKgPDi5r.exe 1 2 2->10         started        13 svchost.exe 9 1 2->13         started        15 4 other processes 2->15 process3 file4 50 Antivirus detection for dropped file 7->50 52 Multi AV Scanner detection for dropped file 7->52 54 Machine Learning detection for dropped file 7->54 56 Drops executables to the windows directory (C:\Windows) and starts them 7->56 17 Qhyqh.exe 13 1 7->17         started        30 C:\Windows\SysWOW64\Qhyqh.exe, PE32 10->30 dropped 32 C:\Windows\...\Qhyqh.exe:Zone.Identifier, ASCII 10->32 dropped 22 cmd.exe 1 10->22         started        signatures5 process6 dnsIp7 34 s2010218.f3322.net 58.218.67.253, 8080 CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID China 17->34 28 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->28 dropped 46 Sample is not signed and drops a device driver 17->46 36 127.0.0.1 unknown unknown 22->36 48 Uses ping.exe to sleep 22->48 24 conhost.exe 22->24         started        26 PING.EXE 1 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 19:18:11 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
02965941d39eef787b6d2483095f7c5c6eec84a2a97ce4e85eee9e0e610506e2
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
ad8bb6a26ffb2234855a89f214ac91cc98c8e53910a181f7cf9828062a734c03
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210222-vb4jl1c4dx/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies data under HKEY_USERS
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
b02ecd10942f04770c4649d8b690c8dc5c6c5fa49404b2dfa387c6fac49498ec
MD5 hash:
c07785cb94c8dd84e10e5c4c2b78cdfc
SHA1 hash:
be5c9247801051e8d687a85035b9a64af88742b4
Link:
https://www.unpac.me/results/1d09907e-26dd-4166-9856-35575691d695/
SH256 hash:
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
MD5 hash:
98e6c4655b9603d6b34d5ebb046a24f8
SHA1 hash:
1bbb25a55292d014a4649f80b8739692948f4f84
Link:
https://www.unpac.me/results/1d09907e-26dd-4166-9856-35575691d695/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1024488/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/118401/

Comments