MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
SHA3-384 hash: 88e1e918e4a95b76c4f2098a69e4d59f7b40b42f89c11dbe8aa1b0ecec4c7b93bb1b4ab7a8c33476166bf8e9b723b4d7
SHA1 hash: d9eb8ad31e1d74f1b2bad2b664e8c632b1a246d6
MD5 hash: 03936e1d5952729c0c6bac3c200739cc
humanhash: venus-queen-lactose-snake
File name:03936e1d5952729c0c6bac3c200739cc.exe
Download: download sample
File size:15'725'573 bytes
First seen:2023-04-22 10:43:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 393216:3i5ceG7XLCPa18feHZSr7EdKTjxjj2hU0OcA:3veoLU3ryQhj90Ox
Threatray 1'422 similar samples on MalwareBazaar
TLSH T1E6F6233FF258A53ED45E173245B3C6608A3BBA60641A8C1B1BFC784DCF765700E3A65A
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
03936e1d5952729c0c6bac3c200739cc.exe
Verdict:
Malicious activity
Analysis date:
2023-04-22 10:45:24 UTC
Tags:
installer
Link:
https://app.any.run/tasks/573a534c-bc90-4b18-9bb0-948ed69b4048

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.14726.4284.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80937/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6443ba747992ccda134f191d/reports/1595bb50-0c69-46cd-b6f6-12a93c436124/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/68938657-4176-4331-89b1-3ede4dee318e
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1219166
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Disables Windows Defender (via service or powershell)
Found potential ransomware demand text
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 852112 Sample: fPSN4a0ZXq.exe Startdate: 22/04/2023 Architecture: WINDOWS Score: 48 79 Snort IDS alert for network traffic 2->79 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for dropped file 2->83 85 3 other signatures 2->85 10 fPSN4a0ZXq.exe 2 2->10         started        14 VuzeBittorrentClientInstaller.exe 2->14         started        16 VuzeBittorrentClientInstaller.exe 2->16         started        process3 file4 67 C:\Users\user\AppData\...\fPSN4a0ZXq.tmp, PE32 10->67 dropped 91 Obfuscated command line found 10->91 18 fPSN4a0ZXq.tmp 26 22 10->18         started        signatures5 process6 file7 55 C:\Users\user\AppData\Roaming\is-457UP.tmp, PE32 18->55 dropped 57 C:\Users\user\AppData\Roaming\1.exe (copy), PE32 18->57 dropped 59 C:\...\unins000.exe (copy), PE32 18->59 dropped 61 7 other files (3 malicious) 18->61 dropped 87 Adds a directory exclusion to Windows Defender 18->87 89 Disables Windows Defender (via service or powershell) 18->89 22 1.exe 8 18->22         started        25 powershell.exe 21 18->25         started        27 powershell.exe 19 18->27         started        29 3 other processes 18->29 signatures8 process9 file10 63 C:\Users\user\AppData\Roaming\uTorrent.exe, PE32 22->63 dropped 65 C:\Users\user\AppData\Roaming\goopdate.dll, PE32 22->65 dropped 31 uTorrent.exe 7 22->31         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        process11 file12 69 C:\ProgramData\Chrome\goopdate.dll, PE32 31->69 dropped 71 C:\ProgramData\ChromebehaviorgraphoogleUpdate.exe, PE32 31->71 dropped 73 C:\ProgramData\Chrome\XnViewMP.xml, XML 31->73 dropped 75 2 other files (none is malicious) 31->75 dropped 77 Uses schtasks.exe or at.exe to add and modify task schedules 31->77 43 schtasks.exe 1 31->43         started        45 schtasks.exe 1 31->45         started        47 schtasks.exe 1 31->47         started        signatures13 process14 process15 49 conhost.exe 43->49         started        51 conhost.exe 45->51         started        53 conhost.exe 47->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tngjzbgw3xao6oubp4vx5ifbeyuxzt526rm7qaknu4rrki7juj7q._file
Verdict:
unknown
Similar samples:
084edf73cf31ee0c9ee417ad0b2f62efd98956cb22582db1f6d6bcff043af6e9
2c8960c00dfc803bb8175a6833904173b6ff044c7128c24c8de2379b47274c77
507784fa7810e00285aa5467191caeea083644985a9d6f96b06684715e2d5add
6a4e8a5b81223afdbe0d39158cb013057e41d5ae6626e1e6c8aef0a5dfd02ca2
6f907bcaa62f240caffd9a92f0e9017f67bd8d9ea929658e74eca35763a4a0b6
72c4d8867a04bf45963c4de8a847c6b53ecda8f3b39a417faf1cf04700561e20
840cf44c6fe52b883a3ebb5cbdd0a3705ffb661109265fbf68a1330266fd6cc6
8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
b25ae1db93e568ba7a07c876e4f8af316078b05dd67a994ff79fee997a7a46ab
+ 1'412 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230422-mss7bsed56/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
485019aef97fc6f68f24869eb6329c435b06dd78fa29334524ebcac4127d22b1
MD5 hash:
8a93dc5c6e087af6629ee6c79212adb9
SHA1 hash:
421a814aa334c109d871d8d8ef8565b0a1db229d
Link:
https://www.unpac.me/results/326289c4-b20d-401c-943f-303cc1ee45b3/
SH256 hash:
dfe4fc16dcb543f2bb5dc794c58c66b3f397627f21482ee3119d6991ce2645fd
MD5 hash:
64163efcc9ac2c2bd80f1324ec512cc1
SHA1 hash:
88496ee9a6ae507d208489b3778bd578a686422e
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/326289c4-b20d-401c-943f-303cc1ee45b3/
Parent samples :
8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
SH256 hash:
461338f8cef5aed887758e1667bd50c1b3f37a1250f9587e561faf048142822b
MD5 hash:
915c6e21d5f0843d745b13d99107af5a
SHA1 hash:
a657b78527f416f1e81c055cf70016748bf44dda
Link:
https://www.unpac.me/results/326289c4-b20d-401c-943f-303cc1ee45b3/
SH256 hash:
9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
MD5 hash:
03936e1d5952729c0c6bac3c200739cc
SHA1 hash:
d9eb8ad31e1d74f1b2bad2b664e8c632b1a246d6
Link:
https://www.unpac.me/results/326289c4-b20d-401c-943f-303cc1ee45b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9b4c9c84d6dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments