MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db
SHA3-384 hash: 3f9ea583ac434c591818dbf530232573af7c03cc9f9dd8ab74178293e8436d4b862f8ba3f15da3fbe918bca4310b3a4f
SHA1 hash: 760abe7849d26abfed797fd610a2ce552e433d5d
MD5 hash: 4e849f2cabc43c709b9f798cd868e53d
humanhash: black-indigo-cold-freddie
File name:4e849f2cabc43c709b9f798cd868e53d.exe
Download: download sample
File size:732'088 bytes
First seen:2021-10-25 07:49:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Q40Q1qdK7b4YheoWnp2FMg8jMVLmJCWJOoxj4i+:OK7teo+sYjMtsCgBU
Threatray 570 similar samples on MalwareBazaar
TLSH T1F7F4AE42FBC105FDD23E49BB745859916223FCBAB81C5010F3EBFF5618B6362462B94A
File icon (PE):PE icon
dhash icon e868ead2e2fe7af2 (2 x AsyncRAT, 1 x RedLineStealer, 1 x Adhubllka)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Spynet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199829/
Detection(s):
SecuriteInfo.com.Trojan.Siggen15.30756.7260.29724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6176a338db358dd15ed93278/reports/43861076-4c06-4607-9205-3493208f4e90/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b43a7efa-62f2-4986-8d26-7a042a9ef1b2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/876063
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 508506 Sample: qjNOFB8fLX.exe Startdate: 25/10/2021 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected UAC Bypass using CMSTP 2->64 66 Yara detected AntiVM3 2->66 68 4 other signatures 2->68 7 qjNOFB8fLX.exe 23 9 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 process3 dnsIp4 56 cdn.discordapp.com 162.159.133.233, 443, 49742, 49743 CLOUDFLARENETUS United States 7->56 46 C:\Windows\Resources\Themes\...\svchost.exe, PE32 7->46 dropped 48 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 7->48 dropped 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->50 dropped 70 Creates autostart registry keys with suspicious names 7->70 72 Creates an autostart registry key pointing to binary in C:\Windows 7->72 74 Adds a directory exclusion to Windows Defender 7->74 76 Drops PE files with benign system names 7->76 18 powershell.exe 24 7->18         started        20 powershell.exe 25 7->20         started        22 powershell.exe 7->22         started        24 AdvancedRun.exe 7->24         started        52 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->52 dropped 78 System process connects to network (likely due to code injection or exploit) 12->78 80 Multi AV Scanner detection for dropped file 12->80 26 powershell.exe 12->26         started        28 powershell.exe 12->28         started        30 powershell.exe 12->30         started        54 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 14->54 dropped 82 Drops executables to the windows directory (C:\Windows) and starts them 14->82 58 127.0.0.1 unknown unknown 16->58 60 192.168.2.1 unknown unknown 16->60 84 Changes security center settings (notifications, updates, antivirus, firewall) 16->84 file5 signatures6 process7 process8 32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 AdvancedRun.exe 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 conhost.exe 30->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-23 11:23:55 UTC
AV detection:
13 of 27 (48.15%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
278602396c9f613328746aa33d0fa09d0aac466c68ca349ec0d8193d664aef35
2ac91449fd255e02594e29de0f1c66c70fb0ba1af3dd87846ffe3e21503ffb4d
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
bd30704f52f0e08aae6df420255dc69f36f50eb7bf11e6aae22bd167b3ed905c
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
d03c843490124f40cf12e9cf9ceb3435d564b4b58ad6eecc04046476dc27d29a
daa69519885c0f9f4947c4e6f82a0375656630e0abf55a345a536361f986252e
+ 560 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211025-jpac9sfgg6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
8f9b9aac5cb8eef357b6b1eb349ab520e7ba07a6dd00096b896613448b1cb115
MD5 hash:
cfe4738cdbc3bf10492db12ded3a308f
SHA1 hash:
c61bf5c5cb5d09ae0cd50bc678dd3e19a7d7bac4
Link:
https://www.unpac.me/results/b4f923ba-5ed7-4313-9d3b-1a9b6d0d8876/
SH256 hash:
9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db
MD5 hash:
4e849f2cabc43c709b9f798cd868e53d
SHA1 hash:
760abe7849d26abfed797fd610a2ce552e433d5d
Link:
https://www.unpac.me/results/b4f923ba-5ed7-4313-9d3b-1a9b6d0d8876/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9add64c3f617/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9add64c3f617392ec57bb083513237bdb50113bf908883aaa40894d6499ba8db

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1709504/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/199829/

Comments