MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b459a76b2983ee1bc0b796e80d70f7bd564d04e9556e16256ba92d53425bf9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b459a76b2983ee1bc0b796e80d70f7bd564d04e9556e16256ba92d53425bf9c
SHA3-384 hash: 5923a3ab9b3422ad54580b50f572ff775faa195318e0b8b1a4a594525fddf57775d883f1739e54b388da2a3a0b7d1d38
SHA1 hash: d2b8aa082f30309456a712784e04ef8165edd79f
MD5 hash: 4bfb3eec2adb1a05de60124765091e89
humanhash: sink-march-kansas-network
File name:Soft.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:994'304 bytes
First seen:2022-03-06 12:25:42 UTC
Last seen:2022-03-06 13:41:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:P/16uHAW92zt/sWu2BSMCqDWrD8rTmTLELjLjLjETbEbhrlQsMPDIeD5tym5kJ:P9LH+tkWJ0zrD8rTmTLELjLjLjETbEbh
Threatray 264 similar samples on MalwareBazaar
TLSH T16E257C8D63793E31E42D65F2F10B524D488CBA48C6470E82FA844DDF3BD9174929BBB6
File icon (PE):PE icon
dhash icon e0c8cec6c6c6c0e0 (3 x BlackGuard, 3 x Formbook, 2 x MassLogger)
Reporter 3xp0rtblog
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
481
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247666/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.12555.23248.9615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4227753d-340b-4047-ac8e-2caeef57a844
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/951404
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b459a76b2983ee1bc0b796e80d70f7bd564d04e9556e16256ba92d53425bf9c/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 01:43:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44
BlackGuard
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
BlackGuard
4e7a2d297395633bb98f5a8e2c51ed41bad9e7b8917eca00aa9b83517d16eb91
BlackGuard
4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f
BlackGuard
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
BlackGuard
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
BlackGuard
877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9
BlackGuard
b287dcb70b7a9ed7025171572a96f1447efa6adf88cd30aba591270052acfe8b
BlackGuard
ba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6
BlackGuard
bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207
BlackGuard
+ 254 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220306-pl7ggsaeb7/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
e591c29e65861af9841be44cc65c058126f539285fd4a30141ed1da033478ea3
MD5 hash:
901df6ac148ab127fe2942ddb4bf74c0
SHA1 hash:
d41ad680ca3c8efa1098495cb2a5306338e5ae8f
Link:
https://www.unpac.me/results/2666ba37-9e20-4c4c-a255-71260af51388/
SH256 hash:
9b459a76b2983ee1bc0b796e80d70f7bd564d04e9556e16256ba92d53425bf9c
MD5 hash:
4bfb3eec2adb1a05de60124765091e89
SHA1 hash:
d2b8aa082f30309456a712784e04ef8165edd79f
Link:
https://www.unpac.me/results/2666ba37-9e20-4c4c-a255-71260af51388/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/9b459a76b2983ee1bc0b796e80d70f7bd564d04e9556e16256ba92d53425bf9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1500119223812730884
Cape
Cape
https://www.capesandbox.com/analysis/247666/

Comments