MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba
SHA3-384 hash: 463fc2690c0b384461a1eb47b46ab5f817f452e6c4c7e7de9483ebffa8bf3124ce0ac9cf55b5e906ddb9d425e30d5eb9
SHA1 hash: eae7e261082392682c7873b18eba8345500c1d62
MD5 hash: 643ac999a87cb24d6e1362e1112a9ae7
humanhash: pluto-early-lake-west
File name:643ac999a87cb24d6e1362e1112a9ae7.exe
Download: download sample
File size:1'340'747 bytes
First seen:2021-06-17 06:48:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:bq1ZqnNNnHZf4iUAEL9uQTfKeKr7Aizlga7A5SQ:21ZqPnBl69sr7PvLQ
Threatray 210 similar samples on MalwareBazaar
TLSH 1A553383A98A893EE5994C315E61DBA51936FC211C31CE0D7361ECBD37B1C81AA34B9D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x86_x64_setup
Verdict:
Malicious activity
Analysis date:
2021-06-17 04:54:14 UTC
Tags:
evasion opendir loader trojan stealer vidar rat redline phishing danabot autoit
Link:
https://app.any.run/tasks/b663d57a-95d6-4844-a084-02a195b4fa79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Terse
Create hunting rule
Link:
https://www.capesandbox.com/analysis/166499/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a4bdce0-8359-424e-87d5-1f51f26f9173
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803535
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435942 Sample: taQ3CBmblo.exe Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Detected unpacking (overwrites its own PE header) 2->64 66 5 other signatures 2->66 10 taQ3CBmblo.exe 25 2->10         started        13 SmartClock.exe 2->13         started        15 SmartClock.exe 2->15         started        process3 file4 46 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 10->50 dropped 52 3 other files (none is malicious) 10->52 dropped 17 vpn.exe 7 10->17         started        19 4.exe 4 10->19         started        process5 file6 22 cmd.exe 1 17->22         started        25 dllhost.exe 17->25         started        44 C:\Users\user\AppData\...\SmartClock.exe, PE32 19->44 dropped 27 SmartClock.exe 19->27         started        process7 signatures8 68 Submitted sample is a known malware sample 22->68 70 Obfuscated command line found 22->70 72 Uses ping.exe to sleep 22->72 74 Uses ping.exe to check the status of other devices and networks 22->74 29 cmd.exe 3 22->29         started        32 conhost.exe 22->32         started        process9 signatures10 76 Obfuscated command line found 29->76 78 Uses ping.exe to sleep 29->78 34 PING.EXE 1 29->34         started        37 Roccia.exe.com 29->37         started        39 findstr.exe 1 29->39         started        process11 dnsIp12 54 127.0.0.1 unknown unknown 34->54 56 192.168.2.1 unknown unknown 34->56 41 Roccia.exe.com 37->41         started        process13 dnsIp14 58 FPPEOCCamBGuvLAAwFRiJhA.FPPEOCCamBGuvLAAwFRiJhA 41->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba/
Threat name:
Win32.Trojan.Azorult
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 19:05:27 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1298b62fc3c9668e95a2d8af5f3c227afa87083c3e614d48d01d01509316c3ec
1c5bcf31d6b2317de8b0df15fca469681a26845ff6f7e7810c37743af816d4b7
473574ab9286caa551c88e2a3ac32e8b7975baac765bf084fd8c6ccb89737666
4bc74f0c9c8b45502fa4989b3e25808db909cf5239034951b6ab343d90678470
6f6a28c56adaaf83617deac4c89e060074b14697872ffcbce53c72cd5cf5a3b5
7de7947e52663865b295e5f4377da5ff018beac438c17ff9ecd8e67eb0202bb0
9ac798196b54bcc62cf880e28321e32b2b59cdab375267027f5e812c139c1892
9e7dfceb92306a6a5f8317840bd2614130973d14c04a88e4bf5a755b583e4ccb
ab989aa468cfedde0cf4f1c8a07af418c3f7d64c716f5034e7b144a14030a42e
c3c916d14f61357a5e5a61e2efe0f061dc2b8b2cc4b113155f0048a752cdc85d
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/210617-24gznf1nvn/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/dba3c9f4-a18d-47ba-b25a-225fb8c70b91/
SH256 hash:
0d52f9576b7e53c20b945f8161281c4894988ee25d4e57b7bc721b5390fc8a24
MD5 hash:
e9873bfee9c0e7f4c0047ec1cb0858ff
SHA1 hash:
cbd0c7a5f96dca02e9172cec987b1e0389bc5d84
Link:
https://www.unpac.me/results/dba3c9f4-a18d-47ba-b25a-225fb8c70b91/
SH256 hash:
480c0465e9fe6be9db0b67531ddd08f04a439e68597ef4961471ca3755fede2b
MD5 hash:
d5587df22effdfa304a91f33a9c37128
SHA1 hash:
74c048b22301d2ce1533e18c5270a810fa8191bf
Link:
https://www.unpac.me/results/dba3c9f4-a18d-47ba-b25a-225fb8c70b91/
SH256 hash:
9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba
MD5 hash:
643ac999a87cb24d6e1362e1112a9ae7
SHA1 hash:
eae7e261082392682c7873b18eba8345500c1d62
Link:
https://www.unpac.me/results/dba3c9f4-a18d-47ba-b25a-225fb8c70b91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9042b9125a0d3aa5322d0576a85fc865f75e3115bd471416dd6b08317f0eb6ba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1371593/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/166499/

Comments