MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c280e9eb8810c5032cd036691238a204886d52636926011b839a7716da6e51e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c280e9eb8810c5032cd036691238a204886d52636926011b839a7716da6e51e
SHA3-384 hash: 4d33e0444aa51542ab37239debeb91ddc4a3a8e52f5c28d2e9592f2175c88ee6bce2c36ec6bfdc68da9e5d1d0eb410e3
SHA1 hash: 804da91bb9c116e748cd425c6c15ade2007ed78b
MD5 hash: b60df2929f8b4794e011252b94c6027a
humanhash: failed-mango-uranus-island
File name:x.dll
Download: download sample
File size:84'480 bytes
First seen:2022-03-17 14:17:26 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 1536:EqEFNDRSvi1Fo13eJG53G73mxdvdzO9qCDU:3EFNDEi1Fy32GhNvRO9qCDU
Threatray 1'160 similar samples on MalwareBazaar
TLSH T13A839E4033E49904DAA9077A8AE7A110137E7E176276CB0E2EDE32CD5D327C79912BD7
Reporter James_inthe_box
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251966/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Launching a service
Creating a file
DNS request
Creating a file in the system32 directory
Setting a global event handler for the keyboard
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/623343200cd58dbd92aeec45/reports/5066b9fa-3565-4376-a2b4-008e8eb53f74/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6980c063-e1e6-44b2-b8ef-fdd5d44d4748
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/958796
Signature
.NET source code references suspicious native API functions
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 591279 Sample: x.dll Startdate: 17/03/2022 Architecture: WINDOWS Score: 60 13 Multi AV Scanner detection for submitted file 2->13 15 .NET source code references suspicious native API functions 2->15 17 Machine Learning detection for sample 2->17 19 Sigma detected: Suspicious Call by Ordinal 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c280e9eb8810c5032cd036691238a204886d52636926011b839a7716da6e51e/
Threat name:
Win32.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-01-21 19:52:00 UTC
File Type:
PE (.Net Dll)
Extracted files:
22
AV detection:
15 of 34 (44.12%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
00d41d97a84f12b8dba8bca50931375381a4a1233587c6ddc730fbc9d53844c1
29286d65248d0005ca9c13110d5563b892150291ff16086b29938050a746251f
6435d4b7d16a8e90e06412b46424a120189f25fa721c1140b49e64dc065ec325
e3b00f110d5cc6cb2c629bec71c8f49a1c0d76d584d5277d959fbbebcb26e47f
e4fa6ae6c4c821c3945c75ca69df7cb2db11935e7d5f27190bef848b32a90556
f67b83f5cfb5d9eee0b50739aeee606e79b627af3409a9730bc7b02cbc45f9b0
+ 1'150 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220317-rl99gscbfk/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
9c280e9eb8810c5032cd036691238a204886d52636926011b839a7716da6e51e
MD5 hash:
b60df2929f8b4794e011252b94c6027a
SHA1 hash:
804da91bb9c116e748cd425c6c15ade2007ed78b
Link:
https://www.unpac.me/results/c18ed602-0f1f-4476-b3de-256b15833fc1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9c280e9eb8810c5032cd036691238a204886d52636926011b839a7716da6e51e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/251966/

Comments