MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97e6f455a3b65aa1d4a984605672d53e10c27d3ccd04bafaa6c4865797011a8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97e6f455a3b65aa1d4a984605672d53e10c27d3ccd04bafaa6c4865797011a8c
SHA3-384 hash: 75779e4dab455b3ecc57119d9816d0014d61e75547f16db0e19887e4b063cb79227b63df3b60c1c11794e25572a97c97
SHA1 hash: eb059409a1ca299898c9e75a70e5698817283a8a
MD5 hash: ca172550b5ae9225862871f183178d34
humanhash: emma-green-bravo-princess
File name:SecuriteInfo.com.Variant.Lazy.231291.798.27183
Download: download sample
File size:387'568 bytes
First seen:2022-08-08 11:58:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2d7259b049d21d9dd506b1f46bde2570
ssdeep 6144:GkGIcwxjGdX1pyrLVCpzf/XnaYrSM8k6tFC69OIl1CjMvP5IuMLMtqtVLD:GkGIcwcJ1piVCpzf/XnaYrSM8k6nC69+
Threatray 138 similar samples on MalwareBazaar
TLSH T16F848C11B9C0C432D67338314BB4E6B28D7DB57029615A9F67CC4A7A5F386C0A639B2F
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Lazy.231291.798.27183
Verdict:
No threats detected
Analysis date:
2022-08-08 11:59:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f3168986-ff41-497e-91c7-c72a8d025955

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297132/
Detection(s):
SecuriteInfo.com.Variant.Lazy.231291.798.27183.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28368/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed xwizard.exe
Link:
https://www.filescan.io/uploads/62f0fb046a4f9c4525a39a20/reports/e48198e8-3229-4e01-95cc-58328da96521/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/35910d33-3584-41f4-b174-d6ee968df7f8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1047882
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97e6f455a3b65aa1d4a984605672d53e10c27d3ccd04bafaa6c4865797011a8c/
Threat name:
ByteCode-MSIL.Backdoor.Pandora
Create hunting rule
Status:
Malicious
First seen:
2022-08-08 11:59:08 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
8 of 40 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7tpivndwznkdvfjqrqfm4wvhyime7j4zuclv6vgysdfpfybdkga._file
Verdict:
malicious
Similar samples:
15f4e965344a38b07713363133e6624f72db10cb297967e91608eec1020e6b1d
24c5fd250f049aa2541949da3fb8efdba5df9337b00dfecee31581d64ec1ed78
2e71e3bcb39c87ae43d0019b5d62084b8eb2bb0ebe09c05d7cf2ad026082e527
423603734e03a0601620dfa8522bbddfc14de5418da253167f46f3a14cca4979
84b3387d512191b0764fde9a03d827cb42ffe33d864b115b959c61a0147aa64d
99f8934579138297335f15bf91dabb56e5ad2b0fbe925bcf38cfc7be4c17dc11
9d58d1f01fb2a963ba486c9651f5820877927ac53ab176b2b2018d341383de88
9f067f88a79885c1d3a82401ce60ec0aea654c9c8f26a886353ead8f2747ed2b
+ 128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220808-n5qgmsceg2/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
97e6f455a3b65aa1d4a984605672d53e10c27d3ccd04bafaa6c4865797011a8c
MD5 hash:
ca172550b5ae9225862871f183178d34
SHA1 hash:
eb059409a1ca299898c9e75a70e5698817283a8a
Link:
https://www.unpac.me/results/cad28549-b61d-4b5a-93b7-909641a2ecef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/97e6f455a3b65aa1d4a984605672d53e10c27d3ccd04bafaa6c4865797011a8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/297132/

Comments