MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248
SHA3-384 hash: 2c509053ab23c46c65f1f903c4aebdd20b65517b31de7c50000d81987396cbd64c902ff45cd2b49fae35842fdae8ff71
SHA1 hash: 1844bf3c0f506e919ed1100e71dcb57c0a68201e
MD5 hash: e5ca9d51a4b6e15d0dc86815068d1dd3
humanhash: autumn-chicken-east-sad
File name:849128312.cmd
Download: download sample
File size:42'476 bytes
First seen:2024-10-12 18:53:47 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/plain
ssdeep 768:yN0Dob1EpMPHfJbm9Y3bt6LflJuDPqh2fd5SmUa+1c+TH28zvwkG8XJ:00DcEO0CrtSliPY2HSmUl1jd/XJ
TLSH T17313CF4E2C211851BCF8A669546CE471E3BCE7D22F2AC8FC523AADD9527D4D3DAD9C00
Magika batch
Reporter 01Xyris
Tags:cmd

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.29802.15534.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670b571b707bcd8537fb36af
Tags:
Powershell Stration Shell Sage
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/670ac5cb46012b4d32fffae5/reports/8d1083da-0b6f-4254-b1c2-df3ebcc94dd9/overview
Verdict:
Suspicious
Labled as:
Trojan/BAT.Agent
Link:
https://www.hybrid-analysis.com/sample/9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248
Result
Verdict:
UNKNOWN
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1532433
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell is started from unusual location (likely to bypass HIPS)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532433 Sample: 849128312.cmd Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 39 s3-w.us-east-1.amazonaws.com 2->39 41 s3-1-w.amazonaws.com 2->41 43 2 other IPs or domains 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Yara detected AntiVM3 2->55 57 6 other signatures 2->57 10 cmd.exe 1 2->10         started        signatures3 process4 process5 12 849128312.cmd.Fjz 15 17 10->12         started        17 xcopy.exe 2 10->17         started        19 conhost.exe 10->19         started        21 3 other processes 10->21 dnsIp6 47 s3-w.us-east-1.amazonaws.com 54.231.171.137, 443, 49706 AMAZON-02US United States 12->47 49 bitbucket.org 185.166.143.48, 443, 49704, 49705 AMAZON-02US Germany 12->49 35 C:\Users\user\AppData\...\stealer-CR-0110.exe, PE32 12->35 dropped 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->67 69 Writes to foreign memory regions 12->69 71 Powershell is started from unusual location (likely to bypass HIPS) 12->71 73 3 other signatures 12->73 23 stealer-CR-0110.exe 14 2 12->23         started        27 InstallUtil.exe 14 2 12->27         started        37 C:\Users\user\Desktop\849128312.cmd.Fjz, PE32 17->37 dropped file7 signatures8 process9 dnsIp10 45 3.5.27.130, 443, 49709, 49710 AMAZON-AESUS United States 23->45 59 Antivirus detection for dropped file 23->59 61 Multi AV Scanner detection for dropped file 23->61 63 Machine Learning detection for dropped file 23->63 65 2 other signatures 23->65 29 InstallUtil.exe 2 23->29         started        31 WerFault.exe 4 27->31         started        signatures11 process12 process13 33 WerFault.exe 4 29->33         started       
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txasdrojvgqxogsscancyzsmmivshx6rvuy443a6sleqfpv5wjea._file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9dc121c5c9a9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9dc121c5c9a9a1771a52101a2c664c622b23dfd1ad31ce6c1e92c902bebdb248

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments