MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA3-384 hash:	1c143490725dbe7f7391542896696d4c4ad8a81fdef042ec910a6e06eee0c7f50b935ddef07b6f1d5a513a66de761e1d
SHA1 hash:	5398e207d9ad301860b570d87601c1664ada9c0a
MD5 hash:	43e7db53ce5c130179aef5b47dcf7608
humanhash:	nevada-idaho-berlin-oxygen
File name:	bekhjird.pif.bin
Download:	download sample
File size:	729'840 bytes
First seen:	2020-12-17 09:27:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep	12288:fBzZm7d9AZAYJVB7ii/XAvKxRJBnwvogSJ4M4G4aY2h5DGDt2:ZcneJVBvXAvwRJdwvZ5aY2h5DGR2
Threatray	211 similar samples on MalwareBazaar
TLSH	0EF47C21A98E982BC1A336749F79FFA795B96926032781A737C42D257FF004327253D3
Reporter	h8FJBZssbf8apvE

Code Signing Certificate

Organisation:	GlobalSign Root CA
Issuer:	GlobalSign Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Sep 1 12:00:00 1998 GMT
Valid to:	Jan 28 12:00:00 2028 GMT
Serial number:	040000000001154B5AC394
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	EBD41040E4BB3EC742C9E381D31EF2A41A48B6685C96E7CEF3C1DF6CD4331C99
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

141

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

26848M.xlsm

Verdict:

Malicious activity

Analysis date:

2020-11-09 05:54:55 UTC

Tags:

macros ole-embedded macros-on-open exploit CVE-2017-11882 trojan opendir loader

Link:

https://app.any.run/tasks/44f4b416-ea65-4437-b988-84de7617728a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Trojan.Autoit-6922942-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Changing a file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/565190

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1/

Threat name:

Win32.Trojan.Ymacco

Status:

Malicious

First seen:

2020-08-25 09:40:17 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Verdict:

malicious

52d5e596c1da82e5895bcd485a98989ff1b81ab3ee5baa13a41ff1c2808493eb

61f312d2472d658a6570f3e96fc4543309a304d9415e86b1c9306f2baacc9563

7943dd3d1f4215ee40123ab13edc945dccd0ff9d3e9cddf372ff8ecbffe62635

7caf2e20a5d049ccf8aa3935fd8517e77d5e7e7e0322ceca894b9baad970aca2

7faca8eb78bcc2336921f00c1bf10c41ebba04de4a21d402b044029623566e3d

87ee5e680c1334c8945b1448819310331304593ad7b4356807bed6d857060226

aa413c154e7c44cfd8c92b7db78ce495697bb00cc43c55fe6a8ac58b2978851d

d35f40a630b2e4b24ec76c354e1e66d927afe339aaba45ff3c750ed52193c910

eb37bfd04a799f257163030196f110fb6c12eea4e797bcd3e14c12b6ac789666

+ 201 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201217-hgthyz2ayj/

Behaviour

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

MD5 hash:

43e7db53ce5c130179aef5b47dcf7608

SHA1 hash:

5398e207d9ad301860b570d87601c1664ada9c0a

Link:

https://www.unpac.me/results/1bcd672c-267c-41bc-85a4-a60ac247f82d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Nanocore

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample