MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9
SHA3-384 hash: 475e7b4b8b19b933ad3581f3289f0660e7edb8c882d9373d2bfaaeacd5369dab85b5e4d814dbd170b67f7cb3881ce1c9
SHA1 hash: f28fafd1062c3bb89e990ab7aeafe8426fe28a98
MD5 hash: 8c8dc5f35bdf12d4051c5a506e7fb072
humanhash: arkansas-alabama-burger-south
File name:8c8dc5f35bdf12d4051c5a506e7fb072.exe
Download: download sample
File size:867'840 bytes
First seen:2021-03-19 07:32:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:0AHnh+eWsN3skA4RV1Hom2KXMmHajAM5:Dh+ZkldoPK8YajD
Threatray 961 similar samples on MalwareBazaar
TLSH 74058B0273D1C036FFABA2739B6AF64156BC79254133852F13981DB9BD701B2263E663
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
specificație.doc
Verdict:
Malicious activity
Analysis date:
2021-03-18 06:05:20 UTC
Tags:
ole-embedded exploit CVE-2017-11882 loader smoke trojan stealer
Link:
https://app.any.run/tasks/3b5aaf88-b3f0-4b81-86c0-266377171cd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125584/
Detection(s):
SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/671c2561-5ac2-47d9-be71-753b4dbdcbec
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/645780
Signature
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9/
Threat name:
Win32.Downloader.Dofoil
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 20:16:33 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
028115ae3e6e3fc774f58184b4bb7d257f626ce5cf6a60e1a749c22fe74803f2
208a8cfdd915e43d58459d4e082efbbf58c649933c09c18c52bc95d34f9725ce
6cebbb0e3d8d28117e67f18212a9847d0262fd4e616def639be1071f1c33b8fb
a4ab08ff70e6117f5ca89a99fa94d63ba3468a7c97e2efc4d8ed6c634bb97671
aef701274d6fae63271e1cc66aa3040f9a337437e921240d2b990d82ebd4b094
c8be9dc730d65a14f19a17df74d074683ef2f6b479f7628f4f4a7b2231a2ea8a
d9055a52862d279916cedbadecb44061ea5674883e9f63cfe98e6b6adbd0b249
da32892b691e51284649a6f71c2ff12937efcf7caddeade9fd66f589643ce25f
e7c777cc2838334214d3349178f52cd2fdce9138cbd51de1c62bcc73a3478a4f
ea7bab4bc272e541ed341a0e4836a83bb569c874e2a2ae0bf9bb0f171a4075cf
+ 951 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210319-x5cwecv5gx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Unpacked files
SH256 hash:
92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9
MD5 hash:
8c8dc5f35bdf12d4051c5a506e7fb072
SHA1 hash:
f28fafd1062c3bb89e990ab7aeafe8426fe28a98
Link:
https://www.unpac.me/results/7437d3b2-57c7-4f78-8a20-df3053d89479/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 92d2144b7decac2b353200c7cd0a31377aad9da6a1d9cc444eb2e69eb47630b9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1074704/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/125584/

Comments