MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b
SHA3-384 hash: 2ee306d9c263b7e491c0f1743f489e9bd9726320f0d562d8a7c9e591caa9e083755b93b1926dbe3173a17bdeb31f32ef
SHA1 hash: 3365f2efb2d0a0dd8fbe34453b6c4b8cb2f6d74b
MD5 hash: d601091b00ce2f7b6beb2917b7a6c944
humanhash: sixteen-johnny-kansas-winter
File name:libcef_decrypted.dll
Download: download sample
Signature Metamorfo
Create hunting rule
File size:1'236'992 bytes
First seen:2023-11-23 21:24:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6a5767913cf60144e52c85d78727993a (1 x Metamorfo)
ssdeep 24576:1RyLJEcFuU4QC4eOjCw+V5Ox5Ke8D8JvM4TVZQkBNmsuNGlH54W:SlXcUGOjCwSSU/DAU6VZ5NmsuNGlZT
TLSH T14B45125BB152707CCA6FC934D9E673A178B1F41004345FBD0B6886312F21EA4EB6EDA9
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter dodosec
Tags:casbaneiro exe MetaMorfo


Avatar
dodo_sec
Final stage decrypted by Medusa.exe and injected via search order hijacking into legitimate SketchUp executable

Intelligence

File Origin
# of uploads :
1
# of downloads :
385
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459920/
Detection(s):
SecuriteInfo.com.Win64.SpywareX-gen.31779.32737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Setting an event handler
Searching for synchronization primitives
Enabling autorun
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug masquerade packed
Link:
https://www.filescan.io/uploads/655fc32f7485e5b1ecb8ee88/reports/81adfdcf-384a-448d-ad96-1c26a92963bf/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5c22ab3e-649e-4168-9ac3-4195d45ef9cc
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1347116
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1347116 Sample: libcef_decrypted.dll.exe Startdate: 23/11/2023 Architecture: WINDOWS Score: 68 23 Multi AV Scanner detection for submitted file 2->23 25 .NET source code contains potential unpacker 2->25 27 .NET source code contains very large strings 2->27 29 2 other signatures 2->29 8 loaddll64.exe 22 2->8         started        process3 process4 10 regsvr32.exe 1 22 8->10         started        13 rundll32.exe 8->13         started        15 cmd.exe 1 8->15         started        17 3 other processes 8->17 signatures5 31 Creates an undocumented autostart registry key 10->31 19 rundll32.exe 19 15->19         started        process6 process7 21 explorer.exe 19->21 injected
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b/
Threat name:
Win64.Trojan.SpywareX
Create hunting rule
Status:
Malicious
First seen:
2023-11-23 21:25:06 UTC
File Type:
PE+ (Dll)
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=totsms544cyhj6t5fssfng75ksfavm7rt5zqytp65lcehwohaf5q._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/231123-z9lj2add3w/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Registers new Windows logon scripts automatically executed at logon.
Unpacked files
SH256 hash:
9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b
MD5 hash:
d601091b00ce2f7b6beb2917b7a6c944
SHA1 hash:
3365f2efb2d0a0dd8fbe34453b6c4b8cb2f6d74b
Link:
https://www.unpac.me/results/d9c4a91a-a183-4059-a0ce-ba7a18495732/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe a1211549b4e1a7befd953d03b4d929b3dc9f25ec6c1bc9c05ae92a0ec08fb77c

Metamorfo

Executable exe 9ba7264bbce0b074fa7d2ca4569bfd548a0ab3f19f730c4dfeeac443d9c7017b

(this sample)

  
Dropped by
SHA256 a1211549b4e1a7befd953d03b4d929b3dc9f25ec6c1bc9c05ae92a0ec08fb77c
Cape
Cape
https://www.capesandbox.com/analysis/459920/
  
Dropped by
MD5 9d6f9f16e32e244688980625f58835e0

Comments


Avatar
commented on 2023-11-24 05:07:41 UTC

https://x.com/JAMESWT_MHT/status/1727754734876913736?s=20