MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
SHA3-384 hash: 9ce778c391250b4d4cdd449235ad7a9a4192240452afb3a720338991a85cde547fb3182a7566c5a15d6cf2b71675aad6
SHA1 hash: 90cd4499a264ac9e589a0a0c98e0258067aa22a7
MD5 hash: 6c90fa5b5c9de97a444b366ec0d14255
humanhash: floor-butter-spaghetti-crazy
File name:9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
Download: download sample
File size:7'449'600 bytes
First seen:2022-11-21 08:24:56 UTC
Last seen:2022-11-21 09:51:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 98304:AB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:RcUG4raKu24YY7HVT4hV0AD6QgqKRgX
Threatray 16'456 similar samples on MalwareBazaar
TLSH T1CC7633E266C45679D3EF3EB0EE2586051A54BDB026813773BB5A3F0D7BF04297A0D218
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6810706969700068 (2 x Nitro)
Reporter petikvx
Tags:exe Ransomware

Intelligence

File Origin
# of uploads :
2
# of downloads :
502
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
Verdict:
Malicious activity
Analysis date:
2022-11-21 08:27:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/287bc58a-effe-40fd-8c15-ef275837d316

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336614/
Detection(s):
SecuriteInfo.com.Variant.Lazy.265889.12581.917.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for analyzing tools
Creating a file
Reading critical registry keys
Creating a window
Creating a file in the %AppData% directory
Changing a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Encrypting user's files
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
filecoder packed
Link:
https://www.filescan.io/uploads/637b35e0e64742f53c106c1e/reports/068987e8-9186-4fc0-9d3d-68ebef008878/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b1c13079-f25a-485c-85d1-9ebf5be44913
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1117903
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (creates a PE file in dynamic memory)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897/
Threat name:
ByteCode-MSIL.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-11-18 18:35:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqth235hqf2lhs5ivsg6kwgyhkl67ocjjoq4m5prje6liejtvclq._file
Verdict:
malicious
Similar samples:
62263e2a3baa016b5048a6db6c0db98f8036c6fedb41216a6a08087ac7890413
68484d62dab0f69fe93fad1f2bb08a0284426ee328efc38b6000f54acf5945f1
71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80
af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e
b47cf0eaed7e3798e77eaf01aac5783f2c03f7db7802a5215523d4ccdc631bc5
d6ec737d10afdaf38cafede9fde045dd3ce7bc72c6ee13df33e018f0e7149893
+ 16'446 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
agilenet evasion persistence ransomware themida trojan
Link:
https://tria.ge/reports/221121-kbabsabc54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Sets desktop wallpaper using registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Drops desktop.ini file(s)
Checks BIOS information in registry
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Themida packer
Modifies extensions of user files
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/38261c8b-617e-4989-aa3a-229de14e2140
Unpacked files
SH256 hash:
b57cc03f1038919de3b78dd7ab0ff60d2c2896574eea888cbac982495eb504b8
MD5 hash:
94ea5828ac68c9b74ff66b1bfa1a3c91
SHA1 hash:
464fe2ad755178143bd92e3a0494315806cd4830
Link:
https://www.unpac.me/results/21892aa6-3ba4-46b6-af07-08d158a166b3/
SH256 hash:
9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897
MD5 hash:
6c90fa5b5c9de97a444b366ec0d14255
SHA1 hash:
90cd4499a264ac9e589a0a0c98e0258067aa22a7
Link:
https://www.unpac.me/results/21892aa6-3ba4-46b6-af07-08d158a166b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9c267d6fa781/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c267d6fa78174b3cba8ac8de558d83a97efb8494ba1c675f1493cb41133a897

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/336614/

Comments