MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf
SHA3-384 hash:	247cb25aa8eb5717b53619637e12075ba80c06a75ef84e295691df1c18d5f21291802beec27293196d60566bb1dcd950
SHA1 hash:	6c3bb749d8ba0fa8eb2b1de7ac3b8c74a23fcb84
MD5 hash:	dad90ec40dc6163cac6bb8d13401b4c9
humanhash:	friend-berlin-potato-princess
File name:	8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf
Download:	download sample
File size:	4'019'992 bytes
First seen:	2021-01-26 10:58:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	485b1ad032d70dd8a818ad7d6708c2df
ssdeep	98304:IWJKKSTpFSFqBmpTS1PPag59j7Hnh8WZLzxFkCausGj2:IWJsF+TSPa6FxFkCausGq
Threatray	2 similar samples on MalwareBazaar
TLSH	09167D20FE4D4466E2F31231891BFEF9A6EDDD71C639F187C25CBA9C1A711C24A28167
Reporter	JAMESWT_WT
Tags:	BE SOL d.o.o. ParallaxRAT signed

Code Signing Certificate

Organisation:	BE SOL d.o.o.
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Jan 20 00:00:00 2021 GMT
Valid to:	Jan 20 23:59:59 2022 GMT
Serial number:	2ABD2EEF14D480DFEA9CA9FDD823CF03
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	9ACCFEB49F8AF2D552C0A8607A29708154EAAF4C288EB82ED334B212ADACEF5D
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf

Verdict:

Malicious activity

Analysis date:

2021-01-26 11:00:59 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1666f8e4-1de8-4e01-bd9d-bbe9f1ef374a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/113850/

Detection(s):

SecuriteInfo.com.BackDoor.Rat.317.12241.32434.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Moving a file to the %AppData% directory

Deleting a recently created file

Creating a file in the %temp% directory

Launching a process

Creating a window

DNS request

Forced shutdown of a system process

Unauthorized injection to a system process

Sending a TCP request to an infection source

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

66 / 100

Link:

https://www.joesandbox.com/analysis/590487

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sigma detected: Suspicious Svchost Process

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-01-25 23:21:29 UTC

File Type:

PE (Exe)

Extracted files:

127

AV detection:

19 of 46 (41.30%)

Threat level:

5/5

Verdict:

unknown

8f9d53981687f9cb6b3e49f03565cdda8e4ca9ccce56122f435f8851d7425f2b

Result

Malware family:

n/a

Score:

8/10

Tags:

ransomware upx

Link:

https://tria.ge/reports/210126-c9hthdawra/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

UPX packed file

Unpacked files

SH256 hash:

8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf

MD5 hash:

dad90ec40dc6163cac6bb8d13401b4c9

SHA1 hash:

6c3bb749d8ba0fa8eb2b1de7ac3b8c74a23fcb84

Link:

https://www.unpac.me/results/1253b504-2b44-4c6d-8a55-d4f8bc835d05/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f22d0bc0ecaabfea46715aafcaae5db27c74dc564a47c66fd7ffdb53e18e0bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/113850/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample