MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2
SHA3-384 hash: 27bd1b41c94f3fbaf441c26cf29b392cef2f6590b94fa4e9dac2e1948a474fbabd5a1ec93ebe3a67eef30bde9fb25420
SHA1 hash: e67992a12eca1145509670c3bd0a687d0049b699
MD5 hash: 5c3fc024d7cf1ccee1a777895c587152
humanhash: bluebird-april-nebraska-edward
File name:5c3fc024d7cf1ccee1a777895c587152
Download: download sample
File size:5'544'960 bytes
First seen:2021-09-29 10:11:45 UTC
Last seen:2021-09-29 11:22:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe4b72c1e87d00ec8a399de3b4432210
ssdeep 98304:8PzLaxGYikreJUKsy80AZSl0jqOcJCuOhq8r/v8Y9+hOf46W:8PzWwYJrbKsy8DI6LuOhJDUY9+h6Z
Threatray 1'227 similar samples on MalwareBazaar
TLSH T1B7463378C0328B59CCAB9B307E5AD3988FA54694049DD1A4AEF1CF1B0639746B7BF344
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5c3fc024d7cf1ccee1a777895c587152
Verdict:
No threats detected
Analysis date:
2021-09-29 10:23:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a60d6216-324f-411c-9f91-bdb590d4826e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193098/
Detection(s):
SecuriteInfo.com.Variant.Razy.638802.25444.20925.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5dd7695-2f3c-4af6-999d-0e40c18aed9b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/860762
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2/
Threat name:
Win64.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-09-29 10:12:08 UTC
AV detection:
12 of 27 (44.44%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
1e1986cb65365d3c0ce892c8d9edb82f813feb643ad06008f600c674238f4d99
4c89265179f2471e24688ac126c541886173be7773617450b0849cb48a5a293d
4dd950fcdcd8483ec9346b4a5214931134975c439cf463daa3a0518cfc5db9a6
7c3b5f1493854daf8b8c4c7385b9e3dcb6e4701b97617efbfa85852a47e3fffa
88f1c469317a8dfaf4c6fd17951a7d218e6a98445fa7ec12cb35ef786d1c2b2f
93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
bcc26c979a4d7b0afec88bdf7c864e965db3041616acea4cda1874ba476e74e0
f303ccc5cdf05114cedee459d0f66bf3b428e19054e2e3f1f001d945332ab6c0
+ 1'217 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/210929-l8hj4aefdp/
Behaviour
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2
MD5 hash:
5c3fc024d7cf1ccee1a777895c587152
SHA1 hash:
e67992a12eca1145509670c3bd0a687d0049b699
Link:
https://www.unpac.me/results/d4269c21-c917-4adb-b101-7a45c4915333/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 97fa42e9f36b5e195c9c488df251a607611af5ce878a8f55067fac5de66d9ba2

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/193098/
  
URLhaus
https://urlhaus.abuse.ch/url/1647675/

Comments


Avatar
zbet commented on 2021-09-29 10:11:46 UTC

url : hxxp://185.215.113.36/zenaaaretest/Zenar_protected.exe