MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46
SHA3-384 hash: 6b338228bac32ca30cc51a79b7aa84e45cf80b33152a9d1728e8f9ca3a64cb77907e5946367ed9f11e4ed0f52e484ccc
SHA1 hash: 16921387d01798153e3e983efba294b7daf278bb
MD5 hash: a4d62f7da9108a3b7388f20ea50768fc
humanhash: lemon-jupiter-minnesota-spring
File name:a4d62f7da9108a3b7388f20ea50768fc
Download: download sample
File size:2'650'696 bytes
First seen:2023-07-03 10:33:08 UTC
Last seen:2023-07-03 12:36:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:kx7VWTtqdkSug+9jXb+Ep1S9wRLnPco12f3nQJbk4u6x5:NBjXiEpnv+3nQWG/
Threatray 12 similar samples on MalwareBazaar
TLSH T102C5A503B6574FB9DB4D1B36C59B262CAFADDDC93723D71A2A8E136905C37A6C844203
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 4a696ddce4f4f261 (26 x Gozi, 9 x AgentTesla, 3 x FFDroider)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
261
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a4d62f7da9108a3b7388f20ea50768fc
Verdict:
Suspicious activity
Analysis date:
2023-07-03 10:33:58 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/782eec7b-db58-4354-97e1-964d3b332d08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/405868/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67869387.12942.2617.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin overlay packed stealer
Link:
https://www.filescan.io/uploads/64a2a41a51710bcd8d43f43d/reports/2ccaa8cc-83e9-4699-934c-8b95e1a7f7e1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1591a1f8-ea88-4355-8245-a83cd459e998
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1265765
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-29 21:05:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tuqgnw2q45jzh6qshtficmg6d6ep6cwey5ey6m7krvldxejuhnda._file
Verdict:
malicious
Similar samples:
143d364dd50674268fcbf22c2914348ba92f6f1ec2822b43b39a5ba0ed316d77
2177882a8fb4bd06c84f61e81cb2fdf862e88f0a86b66a10faa88801696422cd
25e0f6235b109679e8f74f142eb8807c825d33070c7161c86b9600650559247e
5726631bd5354455869b80013d408d97b6d479d61697aecfa253fb42caed3b1b
5d0c01b1ceef88fb8963383443d7b833df48e10f8708edbfadb457c4ca99ffb4
94ecbf6f04ad4476d6b032a83b96f93897af0e16821b76802aaafb11677ad836
bd213bacf745262d609025230b73d653d2ef62875f28860ea1b4d1a65f5c5cca
d7e4265853d2a220b4d89c06d529664436bf2d3aab76cd19bb3733771289fbad
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230703-ml33ysga78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46
MD5 hash:
a4d62f7da9108a3b7388f20ea50768fc
SHA1 hash:
16921387d01798153e3e983efba294b7daf278bb
Link:
https://www.unpac.me/results/50288f2c-ee85-44aa-a7d2-9f94589bb9e7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9d2066db50e75393fa123cca8130de1f88ff0ac4c7498f33ea8d563b91343b46

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2675893/
Cape
Cape
https://www.capesandbox.com/analysis/405868/

Comments


Avatar
zbet commented on 2023-07-03 10:33:09 UTC

url : hxxp://23.137.249.127/ddw23/pstol1.exe