MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15
SHA3-384 hash: 93ca09e2b1e73857b2547749cc83a9e4fac1a0b1168369cb43e4d09d620f1b9bc2126574e723f79c2890b32c74daef33
SHA1 hash: 6503bbd766e9ba94e9b25c1a2cf433abee12a764
MD5 hash: f24a239992856832a14d1546fc4cdda1
humanhash: xray-single-sad-zebra
File name:f24a239992856832a14d1546fc4cdda1
Download: download sample
File size:253'952 bytes
First seen:2022-03-09 20:13:27 UTC
Last seen:2022-03-09 21:51:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:dRHs7bZW1uCroNcGK8R6bav95snlv6sTfN/2jh/znbVxyZ0r:dRabEpEeVbbaXG6sLN/QLnb+G
Threatray 273 similar samples on MalwareBazaar
TLSH T10F44CF4177649A63C56483398CE7E3F65B30BEBA6F01574B7298F39DACB63884C43085
File icon (PE):PE icon
dhash icon 72e0d8f0dc743001
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248872/
Detection(s):
SecuriteInfo.com.StaticAI-SuspiciousPE.1444.26172.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Searching for the window
Changing a file
Launching a process
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Launching a tool to kill processes
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/62290a940cd58dbd92710efa/reports/e9d32416-de3a-4b6a-aecb-806e923414d4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fe238573-da0d-4d16-89b3-4a8035868ebb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953653
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Injects files into Windows application
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Encoded PowerShell Command Line
Uses dynamic DNS services
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 586133 Sample: iG55NQOWYi Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 37 haberci1.duckdns.org 2->37 39 246.204.9.0.in-addr.arpa 2->39 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 7 other signatures 2->55 9 iG55NQOWYi.exe 14 22 2->9         started        14 notepad.exe 1 2->14         started        signatures3 process4 dnsIp5 41 files.catbox.moe 107.160.74.133, 443, 49793, 49800 AS40676US United States 9->41 43 de.catbox.moe 9->43 33 C:\Users\user\AppData\Roaming\...\notepad.exe, PE32+ 9->33 dropped 35 C:\Users\user\AppData\...\iG55NQOWYi.exe.log, ASCII 9->35 dropped 57 Drops PE files to the startup folder 9->57 16 notepad.exe 1 9->16         started        19 taskkill.exe 1 9->19         started        21 taskkill.exe 1 9->21         started        25 4 other processes 9->25 59 Encrypted powershell cmdline option found 14->59 61 Injects files into Windows application 14->61 23 powershell.exe 14 14->23         started        file6 signatures7 process8 signatures9 45 Encrypted powershell cmdline option found 16->45 47 Injects files into Windows application 16->47 27 powershell.exe 16->27         started        29 conhost.exe 23->29         started        process10 process11 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-02 21:21:56 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
17
AV detection:
5 of 42 (11.90%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4cbccf95c51f5cd84021e5afba34f507411d2a6d00d30f3223e18c298ecdd3a6
588692919a751e9852cf32e0b1da42c347f2ff99a2afd2378c6a7573d7a532fc
81416191506375195b1144528df280772da4c2e025808d83064ba1829abc1f1e
845c3cc7f3e34e1fb4c65f56944c260ba24122356ef1f9819b9ddb87e302e738
897187d1c30a8eecc26e28ab1fe5ab4cf7ffaf55d41db358c294b0b19ffd1cd4
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
f27c6d23143bb1c0ea77515c806ee7d75889c31262c7c26a5868989fef41e466
f4af46ad96a86cad60d613a3387a0a68c580247ef88943e2ea0e5b9679a38c2e
+ 263 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220309-yz29cseeck/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15
MD5 hash:
f24a239992856832a14d1546fc4cdda1
SHA1 hash:
6503bbd766e9ba94e9b25c1a2cf433abee12a764
Link:
https://www.unpac.me/results/574b2361-76ec-41b3-ac21-a533e3e0cdea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9262509414f88ba8a7ea799a041bdcab8c68c502917fa5d66cd39dbb940cea15

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2086582/
Cape
Cape
https://www.capesandbox.com/analysis/248872/

Comments


Avatar
zbet commented on 2022-03-09 20:13:29 UTC

url : hxxp://file-coin-coin-10.com/files/8080_1646247139_5546.exe