MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4
SHA3-384 hash: c8b0e8ef1a7712d681962a9bb4db13a273b7c143453071af838c19a295e878d7ec27e37c9c83aa761d3b7bf9d322a546
SHA1 hash: 76ff1612fa82d3a03cb49aa05a2742bf9e16c20c
MD5 hash: a8028f424afbd92523f47631fe948b7d
humanhash: iowa-alabama-november-thirteen
File name:a8028f424afbd92523f47631fe948b7d.exe
Download: download sample
File size:1'092'140 bytes
First seen:2021-03-13 08:32:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:U53uhFoW4FVZAESthxfQdNybZlArMmgjMBq5v4vR:U5+hFoLZatLyylurMmSMBeI
Threatray 52 similar samples on MalwareBazaar
TLSH 223523A126DA43B9C1F326705D8433225BF9E3303B2645D75BC8030A6B366D5F73A79A
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2021-03-12 12:53:41 UTC
Tags:
autoit stealer trojan loader evasion opendir danabot
Link:
https://app.any.run/tasks/30610470-46ff-48cb-b01a-03ff4fd3d462

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124073/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Creating a process from a recently created file
Deleting a recently created file
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Cryptbot
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/638515
Signature
Contains functionality to register a low level keyboard hook
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Cryptbot
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 368234 Sample: 1hPZ0wu0vT.exe Startdate: 13/03/2021 Architecture: WINDOWS Score: 72 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Cryptbot 2->44 46 Obfuscated command line found 2->46 48 2 other signatures 2->48 9 1hPZ0wu0vT.exe 8 2->9         started        process3 signatures4 50 Contains functionality to register a low level keyboard hook 9->50 12 cmd.exe 1 9->12         started        14 cmd.exe 1 9->14         started        process5 signatures6 17 cmd.exe 2 12->17         started        20 conhost.exe 12->20         started        52 Submitted sample is a known malware sample 14->52 22 conhost.exe 14->22         started        process7 signatures8 38 Obfuscated command line found 17->38 40 Uses ping.exe to sleep 17->40 24 Era.com 17->24         started        26 PING.EXE 1 17->26         started        29 findstr.exe 1 17->29         started        process9 dnsIp10 31 Era.com 3 24->31         started        34 127.0.0.1 unknown unknown 26->34 process11 dnsIp12 36 fzFRrYhDpUDZFShxZlGePZtXFkn.fzFRrYhDpUDZFShxZlGePZtXFkn 31->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4/
Threat name:
Win32.PUA.7zip
Create hunting rule
Status:
Malicious
First seen:
2021-03-12 06:45:05 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
00dfe1c0275613464fac102cd1d1bf35983038db80455b92be2630fbe9cf040b
2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
29c0c875bd961391938a48794be49c006a1ee8c31e25a1fd5f0891f5dcd46e6c
2b9ab52795f34af8e45a80c88ebd53c725bcccdab49aee05a8b848566e8c3b28
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
f26b948f55870e1e1c049325fa71e957cd87b85f53972f2c2cc258e9b0029a74
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
+ 42 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210313-4qcqtxf6m2/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
86ecf077a63f1937f71dd362a0a19adebd1f150ecdc0e821155a3d7a1b5dc0c7
MD5 hash:
1007ab749b57d2717f59fb42d962a9cb
SHA1 hash:
2971be592a2fa54a00a7fb52741e13362d20509f
Link:
https://www.unpac.me/results/0e4d2858-c214-4639-84e2-7121d44f340a/
SH256 hash:
c2614c6d638c9243ff2528db02220c597c183673e884745e7f959f820625f1cc
MD5 hash:
5944324cea0d0f967a8759753a86f669
SHA1 hash:
4c831a9f28830554be53b0e81862f7bf2c749d7d
Link:
https://www.unpac.me/results/0e4d2858-c214-4639-84e2-7121d44f340a/
SH256 hash:
8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4
MD5 hash:
a8028f424afbd92523f47631fe948b7d
SHA1 hash:
76ff1612fa82d3a03cb49aa05a2742bf9e16c20c
Link:
https://www.unpac.me/results/0e4d2858-c214-4639-84e2-7121d44f340a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
OpenCandy
Score:
0.40
Link:
https://yomi.yoroi.company/submissions/8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8f7f128c12e1966daae887b04edd6c8bed3b178cc2f6d83e5970249463cb5bb4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1063333/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124073/

Comments