MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NightHawk


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8
SHA3-384 hash: d1b68615368aaacadb914007346e8768e64ceb01c3276198bd0b68d058f6cbefb2c09bf51016f510cc0b6c334c220a5b
SHA1 hash: 23601e4127d13e0015f70354e22afd3c5f41acc1
MD5 hash: 5b0028dd161208c993965a33138e282b
humanhash: potato-triple-nebraska-winner
File name:9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8
Download: download sample
Signature NightHawk
Create hunting rule
File size:974'848 bytes
First seen:2022-11-22 20:23:17 UTC
Last seen:2022-11-24 04:00:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60f091a9e8d8976c6d2d4d39d2b35d03 (1 x NightHawk)
ssdeep 12288:3BA7K8u5QxqstBay2R619MOtnLvM9Ff1K4r5nL4XsDnMell/mXWB0Z8HkoCnMTZO:+3sMgU7ttnLkt5LEfyl/mM0+Hk3MTZY
TLSH T161257D2EB3D802A5C4B6C1BCC74B5917EBB1744B0330ABEB06E4575A1F537A0AA3E751
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter Arkbird_SOLG
Tags:Beacon exe Nighthawk

Intelligence

File Origin
# of uploads :
2
# of downloads :
324
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8
Verdict:
No threats detected
Analysis date:
2022-11-22 20:27:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e6f8571-7a07-4f0a-b351-53a38817162a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/337346/
Detection(s):
MiscreantPunch.SingleXOR.EXE.65.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware hacktool keylogger obfuscated overlay rat
Link:
https://www.filescan.io/uploads/637d2fe45be128ac718e6357/reports/ef640917-7989-45cc-bc31-d7a8db17396c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/07159df2-e5b2-4b50-b3d0-1e3700fc9306
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1119203
Signature
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 751920 Sample: dTbH8QkiYX.exe Startdate: 22/11/2022 Architecture: WINDOWS Score: 52 24 Multi AV Scanner detection for submitted file 2->24 8 loaddll64.exe 1 2->8         started        process3 signatures4 26 Modifies the context of a thread in another process (thread injection) 8->26 11 rundll32.exe 8->11         started        14 cmd.exe 1 8->14         started        16 conhost.exe 8->16         started        process5 signatures6 28 Modifies the context of a thread in another process (thread injection) 11->28 18 WerFault.exe 17 11 11->18         started        20 rundll32.exe 14->20         started        process7 process8 22 WerFault.exe 3 9 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjlzdhgfygkofcwnmjyzjb6fmoupb3ysaw3fvw7fgu4g4nhedc4a._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221122-y6pa3sfh69/
Unpacked files
SH256 hash:
9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8
MD5 hash:
5b0028dd161208c993965a33138e282b
SHA1 hash:
23601e4127d13e0015f70354e22afd3c5f41acc1
Link:
https://www.unpac.me/results/96565004-a93c-4c90-9889-dc6df2b2c67a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a57919cc5c194e28acd62719487c563a8f0ef1205b65adbe535386e34e418b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/337346/

Comments