MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97b5c7749b7defbf3f73dd4b86e129760adda6267f0596b483c2c89d373e1995. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	97b5c7749b7defbf3f73dd4b86e129760adda6267f0596b483c2c89d373e1995
SHA3-384 hash:	a4741673693a04585e452e709f9fd954a0662c614b91187c409bb4c12967c6ff5d42377d4ab8453cc49b177e974fdbdb
SHA1 hash:	c1eec40a287503314b18fe06ef2212b40112a934
MD5 hash:	0591b3b579cddd8eda7fb0d373e62892
humanhash:	coffee-twelve-avocado-monkey
File name:	0591b3b579cddd8eda7fb0d373e62892.exe
Download:	download sample
File size:	473'600 bytes
First seen:	2022-02-10 05:44:19 UTC
Last seen:	2022-02-10 08:00:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:stphtvIIHluJDXlln+PN05rdV6ifgpSFDfz+G7a+KDC2iQnQw4qGiNWxrrEDOUW6:E8U0dVg6yueGa3
Threatray	433 similar samples on MalwareBazaar
TLSH	T127A49217BA05CA50C258A937D5D6912003BAF8D36373CA0B3E9E12965E533DF698F3C9
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.Inject4.25481.26445.8417.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process from a recently created file

Enabling autorun by creating a file

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/6204a662942573cad44e8625/reports/8aaa33ff-796c-4d20-85a6-1f29a4db99a0/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1c88d66d-e132-4776-915a-a415b174c1ed

Result

Threat name:

Clipboard Hijacker

Detection:

malicious

Classification:

spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/937521

Signature

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Clipboard Hijacker

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/97b5c7749b7defbf3f73dd4b86e129760adda6267f0596b483c2c89d373e1995/

Threat name:

Win32.Trojan.ClipBanker

Status:

Malicious

First seen:

2022-02-09 23:52:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

0eca210fbcf2f5451b6106fdb10889908d7e2dc2e0eadb6ff345ed75149d17ff

1295fb62e8f0296d96813f9584e50ba594c2cbcfc0f4f86c0428e3a9ed765e65

265c93af05ea076407228de4cdfecc5e4052273610d35021afd1d0e72c81bb92

34ab5727b71b4ada8d2ee6b551bb9af7fde0751633ae8f0a12812304a7a36c1c

4747e3d90198171f10ab973d32e0cbf1f679148832d1d10a6ec99a340b0a307f

697e0cf2e6636fff9b8cbece1e67cc5db6b0eb58aace6bafd7656874a9462f49

8a0c92492986fc6dde9450672a3f76d05beee65f95b997a7866c7bba341bbaa2

a9f85809eedc7a4033fa134ae35c2b9ab4de23ee6b2bd923662656d531d3236e

c8f9155cc97bde13afcdba0abd2264f8a91c73c39a8cfb4f8559a8276237e708

+ 423 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/220210-gfq9baefa2/

Behaviour

Checks processor information in registry

Creates scheduled task(s)

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Suspicious use of SetThreadContext

Executes dropped EXE

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

97b5c7749b7defbf3f73dd4b86e129760adda6267f0596b483c2c89d373e1995

MD5 hash:

0591b3b579cddd8eda7fb0d373e62892

SHA1 hash:

c1eec40a287503314b18fe06ef2212b40112a934

Link:

https://www.unpac.me/results/0f7281c4-1b3b-4b19-90d5-460137a87883/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample