MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3
SHA3-384 hash:	1f9177aa34ac5299c061565191a782138b9c0578e139d28f560c89baf4bda23730ffd8ab7f1aca4bc46cba1e5dc3e02d
SHA1 hash:	58d66e212f7f335a7040a35f3771b9029e849410
MD5 hash:	1805f6f7ca75a269a2112ee2e6e15ffc
humanhash:	aspen-seventeen-sixteen-alpha
File name:	9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3
Download:	download sample
File size:	1'529'344 bytes
First seen:	2022-07-13 06:29:31 UTC
Last seen:	2022-07-13 08:07:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:1x0vtufKPsjpkbPwdnITPkGr9HtTwkpXDvASps9ojoU6ISv3OvSJ9QFQfrXuY67:1m7hzwdcsGttTwsUA0cSPaQf
Threatray	100 similar samples on MalwareBazaar
TLSH	T18865AE62F9C2C172FDD515BA83FE2B371F394506A32984E776C419A09AA10E275BF343
TrID	62.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 23.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 4.1% (.SCR) Windows screen saver (13101/52/3) 3.3% (.EXE) Win64 Executable (generic) (10523/12/4) 2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	JAMESWT_WT
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

237

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3

Verdict:

Malicious activity

Analysis date:

2022-07-13 06:32:42 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f11599e1-dd56-42bd-84eb-a6fae2304cab

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286757/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop20.3922.15568.30609.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cmd.exe packed regedit.exe

Link:

https://www.filescan.io/uploads/62ce666fd6d93426cee90333/reports/6d18d268-4baa-4859-ba38-6b1be786a90c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/50315f72-9c91-42d0-b811-e26f6c7d255a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1029896

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3/

Threat name:

ByteCode-MSIL.Trojan.Casdet

Status:

Malicious

First seen:

2022-04-23 11:58:42 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t3m52mlcon24gxe56wflt3abffnvpebyqkyrks5hw4xm7imlhtrq._file

Verdict:

malicious

0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac

1254eb8dd2f4b697e0bad62b9accdd5e9553e920dd131a450d742ba80844899c

1f68e889d3c4c7f8049bad4abd042fcd05e84ac96bf23d86e2e95aa8fe346593

3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676

5b682f3038aea6c3db35ba85a82712a1920adddd5587777742ca711dcd729757

8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23

aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211

eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9

ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846

+ 90 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220713-g9glzadhf6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

4d4d0b954f637563ee723d04ac40dcff9b9b83ecbd3420289c83b13c9bc3ff53

MD5 hash:

bfaf6445c3e279f8657c7705d606be40

SHA1 hash:

f27cb7412a29a89ca7a43a7b68adf0b204ec833f

Link:

https://www.unpac.me/results/b3a57fe3-0878-40f5-8541-594f3cbf051d/

SH256 hash:

b06538567c22a6b3ffe869bdfa52c8fc7ef71f8bfc7f40ee4e29d68b1b6272f9

MD5 hash:

ec2d7e09e74424a231b8cb14eea7c7fc

SHA1 hash:

d19284649738f682f57885303f8d6885340727cd

Link:

https://www.unpac.me/results/b3a57fe3-0878-40f5-8541-594f3cbf051d/

SH256 hash:

9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3

MD5 hash:

1805f6f7ca75a269a2112ee2e6e15ffc

SHA1 hash:

58d66e212f7f335a7040a35f3771b9029e849410

Link:

https://www.unpac.me/results/b3a57fe3-0878-40f5-8541-594f3cbf051d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286757/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample