MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
SHA3-384 hash: d773ffc4693c24dff5fa95ec55fe05eb3f413d9d5a26cbd8b802214aa5c064b4088873305e767a55b084220b78de7f58
SHA1 hash: 0d74625b6123a6a495102ae1f020d17f50bff774
MD5 hash: b2c02256af5ef687ef49fe7e25cebbe5
humanhash: red-colorado-neptune-delta
File name:b2c02256af5ef687ef49fe7e25cebbe5.exe
Download: download sample
File size:15'737'596 bytes
First seen:2023-04-17 05:24:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:Ri5ceG70bqBEXfxh2zzFwCiy6XZ1M9m6/+bX99cA:RveVZXfxh2dSdqP+bN9x
Threatray 1'412 similar samples on MalwareBazaar
TLSH T194F6337FF268A03EC49B173249B3825099377A61B91A8C1B17FC741CCF765601E3EA5A
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b2c02256af5ef687ef49fe7e25cebbe5.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 05:27:41 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3c4b0913-05ff-4668-ad9d-ee62ab790f18

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.7542.4764.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80001/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/643cd831c1735fe5e7566356/reports/1e35d2d1-45ed-4e81-a1d1-55b42bc5aa15/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/500fa712-39c7-49a8-a122-403a47e2a117
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.rans
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1214968
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Found potential ransomware demand text
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 847896 Sample: 0HS6j4FKiS.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 52 78 secure.skype.com 2->78 80 imap.fnaf.com 2->80 82 alt1.gmail-smtp-in.l.google.com 2->82 86 Snort IDS alert for network traffic 2->86 88 Antivirus detection for dropped file 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 4 other signatures 2->92 11 0HS6j4FKiS.exe 2 2->11         started        15 VuzeBittorrentClientInstaller.exe 2->15         started        17 VuzeBittorrentClientInstaller.exe 2->17         started        signatures3 process4 file5 76 C:\Users\user\AppData\...\0HS6j4FKiS.tmp, PE32 11->76 dropped 98 Obfuscated command line found 11->98 19 0HS6j4FKiS.tmp 26 22 11->19         started        signatures6 process7 file8 64 C:\Users\user\AppData\Roaming\is-E9IEK.tmp, PE32 19->64 dropped 66 C:\Users\user\AppData\Roaming\1.exe (copy), PE32 19->66 dropped 68 C:\...\unins000.exe (copy), PE32 19->68 dropped 70 7 other files (3 malicious) 19->70 dropped 94 Adds a directory exclusion to Windows Defender 19->94 96 Disables Windows Defender (via service or powershell) 19->96 23 1.exe 8 19->23         started        26 powershell.exe 19 19->26         started        28 powershell.exe 21 19->28         started        30 3 other processes 19->30 signatures9 process10 file11 72 C:\Users\user\AppData\Roaming\uTorrent.exe, PE32 23->72 dropped 74 C:\Users\user\AppData\Roaming\goopdate.dll, PE32 23->74 dropped 32 uTorrent.exe 7 23->32         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        process12 file13 56 C:\ProgramData\Chrome\goopdate.dll, PE32 32->56 dropped 58 C:\ProgramData\ChromebehaviorgraphoogleUpdate.exe, PE32 32->58 dropped 60 C:\ProgramData\Chrome\XnViewMP.xml, XML 32->60 dropped 62 2 other files (none is malicious) 32->62 dropped 84 Uses schtasks.exe or at.exe to add and modify task schedules 32->84 44 schtasks.exe 32->44         started        46 schtasks.exe 32->46         started        48 schtasks.exe 32->48         started        signatures14 process15 process16 50 conhost.exe 44->50         started        52 conhost.exe 46->52         started        54 conhost.exe 48->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r4sv6l37onit7qx4kxyeuda45ml3ajefg4qlynmse7zt42ngaccq._file
Verdict:
unknown
Similar samples:
084edf73cf31ee0c9ee417ad0b2f62efd98956cb22582db1f6d6bcff043af6e9
2c8960c00dfc803bb8175a6833904173b6ff044c7128c24c8de2379b47274c77
507784fa7810e00285aa5467191caeea083644985a9d6f96b06684715e2d5add
6a4e8a5b81223afdbe0d39158cb013057e41d5ae6626e1e6c8aef0a5dfd02ca2
6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6
72c4d8867a04bf45963c4de8a847c6b53ecda8f3b39a417faf1cf04700561e20
840cf44c6fe52b883a3ebb5cbdd0a3705ffb661109265fbf68a1330266fd6cc6
b25ae1db93e568ba7a07c876e4f8af316078b05dd67a994ff79fee997a7a46ab
+ 1'402 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230417-f4aqssdb32/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
485019aef97fc6f68f24869eb6329c435b06dd78fa29334524ebcac4127d22b1
MD5 hash:
8a93dc5c6e087af6629ee6c79212adb9
SHA1 hash:
421a814aa334c109d871d8d8ef8565b0a1db229d
Link:
https://www.unpac.me/results/51633fb1-8bd2-415c-910f-fab7ee0a7843/
SH256 hash:
dfe4fc16dcb543f2bb5dc794c58c66b3f397627f21482ee3119d6991ce2645fd
MD5 hash:
64163efcc9ac2c2bd80f1324ec512cc1
SHA1 hash:
88496ee9a6ae507d208489b3778bd578a686422e
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/51633fb1-8bd2-415c-910f-fab7ee0a7843/
Parent samples :
8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
SH256 hash:
461338f8cef5aed887758e1667bd50c1b3f37a1250f9587e561faf048142822b
MD5 hash:
915c6e21d5f0843d745b13d99107af5a
SHA1 hash:
a657b78527f416f1e81c055cf70016748bf44dda
Link:
https://www.unpac.me/results/51633fb1-8bd2-415c-910f-fab7ee0a7843/
SH256 hash:
8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
MD5 hash:
b2c02256af5ef687ef49fe7e25cebbe5
SHA1 hash:
0d74625b6123a6a495102ae1f020d17f50bff774
Link:
https://www.unpac.me/results/51633fb1-8bd2-415c-910f-fab7ee0a7843/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f255f2f7f73/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments