MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c
SHA3-384 hash: d504561555e3d9e83d58c088679fb486c67fa505a28d3397d6ffc8074a6a95c93ba37a3852c0b2bfee6bc03b5bf537d9
SHA1 hash: 37d7e8ab70eb1e649e3f50bec0d0f58ded5d0cda
MD5 hash: 6768db735cdff69b788f0f19b2e3a520
humanhash: three-connecticut-alpha-artist
File name:6768db735cdff69b788f0f19b2e3a520
Download: download sample
File size:202'752 bytes
First seen:2023-06-15 10:46:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 554b97b4ca75d054417a17a8c740d1a8 (2 x Rhadamanthys, 2 x RedLineStealer, 1 x Tofsee)
ssdeep 3072:V0Zhg/2yMRHAyFVqVzM3nYA69li8+BqN8GEdN0b+96L:eZw2r+iVqdM3QzNl+
Threatray 65 similar samples on MalwareBazaar
TLSH T1DD14CF2272E0DC72E47A1A70BC75CAD47B2EB9520F70969B232C1B2F1EB12E04D76355
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 016066624a426602
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6768db735cdff69b788f0f19b2e3a520
Verdict:
No threats detected
Analysis date:
2023-06-15 10:48:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17fac207-c174-46df-a965-aefe2751b633

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399111/
Detection(s):
Sanesecurity.Malware.29525.BadIN.UNOFFICIAL
Create hunting rule

Win.Trojan.Mokes-10004396-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90859/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CheckCmdLine
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/648aec2840b26d42ee55b303/reports/b7122439-4b97-4924-b5fc-cb212650a9db/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/402b7117-4295-427c-b3cb-195521b09625
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1255232
Signature
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888252 Sample: QQbwoRyNC1.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 92 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Suspicious powershell command line found 2->28 30 Machine Learning detection for sample 2->30 6 QQbwoRyNC1.exe 1 2->6         started        10 powershell.exe 11 2->10         started        12 powershell.exe 2->12         started        process3 dnsIp4 22 65.109.64.82, 4308, 49685 ALABANZA-BALTUS United States 6->22 32 Detected unpacking (changes PE section rights) 6->32 34 Detected unpacking (overwrites its own PE header) 6->34 36 Found evasive API chain (may stop execution after checking mutex) 6->36 38 2 other signatures 6->38 14 QQbwoRyNC1.exe 10->14         started        16 conhost.exe 10->16         started        18 QQbwoRyNC1.exe 12->18         started        20 conhost.exe 12->20         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 03:43:38 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
23 of 36 (63.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7dr4wriacrubxw2gpvlfsc427qgealuk4ap4ww5ic4ek4vqyrwa._file
Verdict:
malicious
Similar samples:
07109ec0f36d15537a80c566875fcbb482f1057104ed0669bc77489b1b2e3bb7
29a2ccde9462129384566d7a6b3553ae3d4c3c62628b9f91995cc8433de139ab
37e0b7e14eaeeb2205c87261982e272eaa6dd4b95fdd2edc7b2a5b9d29b64a09
542135e092c67c70b1fb7910134e2a6fbecc0044bd8b7ae78d4d03e7ce3249ef
59206515a48f6fcfdf4e1ec5e8bf4ddd052a7415f86d52e39f59b15fb7e64002
a0140bd61d20392a9cc93a61830fcbbfa400835a464e495ab1083642addc6b8e
e29feaa5985da025ace863eaf3289be1d426dccc8d41681ccc98c0c1823d1b98
ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93
f19aac41c3f432af709d0597c34fe4c25348043ac622e97d89ded00fdf663a5f
f46b5b289501e88dc89c7d8daf37156459bcacebceaff3af7718190384546dbd
+ 55 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230615-mvh45sga34/
Behaviour
Adds Run key to start application
Unpacked files
SH256 hash:
4653566b88281b26436769143694aef974ea2f86f0a866d10c06533d47c20231
MD5 hash:
14f2de522be192785d6a1172826eef02
SHA1 hash:
3f8a24d33fc0df32734383c8c8ee086cdef13d54
Link:
https://www.unpac.me/results/f1fa1c9a-f1b2-460c-9230-4c947ec5acb5/
SH256 hash:
97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c
MD5 hash:
6768db735cdff69b788f0f19b2e3a520
SHA1 hash:
37d7e8ab70eb1e649e3f50bec0d0f58ded5d0cda
Link:
https://www.unpac.me/results/f1fa1c9a-f1b2-460c-9230-4c947ec5acb5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 97c71e5a2800a340deda33eab2c85cd7e06201745700fe5add40b84572b0c46c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2661730/
Cape
Cape
https://www.capesandbox.com/analysis/399111/

Comments


Avatar
zbet commented on 2023-06-15 10:46:19 UTC

url : hxxps://bluestaks.novationgroups.com/post/Upshotox64.exe