MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9
SHA3-384 hash: 08874dec73fb4cc5565f4ff7c2fd2655d238897eb8fd7d6383e0043e26402a274b56a71d1aeb78e6556d62b675761109
SHA1 hash: a9a7999d33708c5dc55aa6f7e4649995b2fe9201
MD5 hash: 16d5bb71cd8b410cdde68344172ce826
humanhash: cup-cardinal-spaghetti-november
File name:16d5bb71cd8b410cdde68344172ce826
Download: download sample
File size:271'872 bytes
First seen:2022-11-26 00:15:27 UTC
Last seen:2022-11-26 01:29:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:ohNhrDI0wRH/Vs9/j2NiMen421sFKBRc8IYqfXvo4JEf40tQ0FN:Ek0wRH/Vs9/gin42kCDr+wi0tQ
Threatray 2'060 similar samples on MalwareBazaar
TLSH T16D44028267D2652CC4EA6F7B847BE6830238B6186A35DF0F0688306F1D537958752F7B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon b1696df0c8c8f030
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
16d5bb71cd8b410cdde68344172ce826
Verdict:
Suspicious activity
Analysis date:
2022-11-26 00:18:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06cf6dee-9aa1-4d1d-8637-3805948d1c2d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338638/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63787285.8476.902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a window
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63815ac4090ea3f0493496f5/reports/44f5518d-3ada-4c01-8d80-a692103580c8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4f077e72-623b-46c8-bd84-446ba3df99ad
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1121416
Signature
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-22 09:22:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5d45qyebr6j7t3x32z64ldzjzqfyzwbil2af77lhdiekgwjypeq._file
Verdict:
malicious
Similar samples:
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
5475722d8025caaffe4fcb7a434403c35db22761a98d31d0f202d9f682b8bd50
6232bd70528f163b7aa8e8d76f6c4e63a0660eb112eabf2cc1859cc9e83ca755
88c93fb2359cc5f0da6886983c67d923955d210daf5a458e382d024124a67458
9186f4166af5ab900f6f1c8a183a09154655ef1b0d0e9a9cf2c1fb2fa90ab87b
ba319ab5c744553d08d3e981e76445631626be828e08bfa84487ae19434912b9
cb1bfed9b946adbcb897876432268c9bc453b4b489a6df99f5812d5f71b95ea7
e302530e680780414528ef634f5e9c258ddcedbca098eb079be321650441b1f8
eb41f0d7fa86d49349be3d44f29f71bb3b93091f2894eae69371e0d12310f6b9
+ 2'050 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221126-akggcaha56/
Behaviour
Suspicious use of AdjustPrivilegeToken
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/07d080fb-bcb8-4ba9-ae32-bab258b3bcb9
Unpacked files
SH256 hash:
8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9
MD5 hash:
16d5bb71cd8b410cdde68344172ce826
SHA1 hash:
a9a7999d33708c5dc55aa6f7e4649995b2fe9201
Link:
https://www.unpac.me/results/f58fa1d9-aa44-49f3-806c-2cbe1368ffbe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8f47cec3040c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8f47cec3040c7c9fcf77deb3ee2c794e605c66c142f402ffeb38d0451ac9c3c9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2433264/
Cape
Cape
https://www.capesandbox.com/analysis/338638/

Comments


Avatar
zbet commented on 2022-11-26 00:15:31 UTC

url : hxxp://138.124.183.65/bb.exe