MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2
SHA3-384 hash: cc1415a1107c19db0d3294720f17a14ab5f7be29d93286eeb67df597e9a68cf85a6795f6ce73a1715e04220a5324c0c1
SHA1 hash: d28c59f4707fc49d9217ff62b6e9bd59a6803b21
MD5 hash: 17afdadc5b9e4d5c61baa3400088802d
humanhash: timing-cardinal-east-edward
File name:17afdadc5b9e4d5c61baa3400088802d.exe
Download: download sample
File size:1'506'946 bytes
First seen:2023-01-28 17:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:wNA3R5drXRDz3CxzC7g9zjQo3dIW0Jo0ubXk8MFIzMFIvbQNAwBeAZoArMM6JW:p5lD2f93Q4qHubXGLeiLBPZYW
TLSH T101652241B5D049B1E4B71A321DB9A322A9BD7D201E34DA1F73E87D3C9E325D0A215BB3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4d8e170f0c0f0c4d (1 x QuasarRAT, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
17afdadc5b9e4d5c61baa3400088802d.exe
Verdict:
Malicious activity
Analysis date:
2023-01-28 17:37:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6683c90e-bb02-46f0-bed3-e6d54fba7fcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357782/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Running batch commands
Creating a process from a recently created file
Launching a process
Launching a service
Creating a file
Changing a file
Delayed writing of the file
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63679/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63d55d03fcc41339192ed1a7/reports/234715fb-9128-4093-824c-9e9c296d6d9d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5cff0652-4b6d-45f0-bbf9-f79cd9b75f04
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1160830
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 793567 Sample: ChfEBAwASB.exe Startdate: 28/01/2023 Architecture: WINDOWS Score: 60 26 Multi AV Scanner detection for submitted file 2->26 8 ChfEBAwASB.exe 9 2->8         started        process3 file4 22 C:\Users\user\AppData\...\iobdsg.sfx.exe, PE32 8->22 dropped 11 cmd.exe 1 8->11         started        process5 process6 13 iobdsg.sfx.exe 7 11->13         started        17 conhost.exe 11->17         started        file7 24 C:\Users\user\AppData\Roaming\iobdsg.exe, PE32 13->24 dropped 32 Multi AV Scanner detection for dropped file 13->32 19 iobdsg.exe 1 13->19         started        signatures8 process9 signatures10 28 Multi AV Scanner detection for dropped file 19->28 30 Machine Learning detection for dropped file 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2/
Threat name:
ByteCode-MSIL.Trojan.Cryptos
Create hunting rule
Status:
Malicious
First seen:
2023-01-28 16:53:00 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=turlvs2fpmfbubpgo23narqmthv2gmefknuiu5bfm4wii726epja._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230128-v6jttafd96/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
150dab49db39f9aa90ba9f21ffb9530a4e6ae69318513350c23f8ac81bb8b407
MD5 hash:
1d3a97ecf1b00c08a33a7f9bba8a5a9a
SHA1 hash:
bbf1815bbe3da321f8b3aaa25486cbdfb08761f6
Link:
https://www.unpac.me/results/3fb262b8-ba64-43e8-81aa-bca0fbeb6601/
SH256 hash:
d6d53c6ba1da4ee5c62d0a347a081eb1842c2aa0a65d07adbd63503e377e1f04
MD5 hash:
ed6cade9369564bfee43f6a358bc052e
SHA1 hash:
8d56332de089ecf9bd734e37d83d5343f115f43e
Link:
https://www.unpac.me/results/3fb262b8-ba64-43e8-81aa-bca0fbeb6601/
SH256 hash:
c4d1d41cce8088a2708dabc3fe2c707dd88b4ca7ebf59d429df085d323a3596e
MD5 hash:
9a6e632a7d8e31041718c7e1212aa106
SHA1 hash:
44c50031e8276277e767eaa8dc3eb8877394c367
Link:
https://www.unpac.me/results/3fb262b8-ba64-43e8-81aa-bca0fbeb6601/
SH256 hash:
9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2
MD5 hash:
17afdadc5b9e4d5c61baa3400088802d
SHA1 hash:
d28c59f4707fc49d9217ff62b6e9bd59a6803b21
Link:
https://www.unpac.me/results/3fb262b8-ba64-43e8-81aa-bca0fbeb6601/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.
Rule name:sfx_pdb_winrar_restrict
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9d22bacb457b0a1a05e676b6d0460c99eba3308553688a7425672c847f5e23d2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2520394/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2520069/
Cape
Cape
https://www.capesandbox.com/analysis/357782/

Comments