MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9
SHA3-384 hash:	ff4138deff21dc5d6e52db0d2c5e0a3eae2bcbceb0b121f55734da005b544688620d64a636d309cdeba4166daea45a39
SHA1 hash:	3112266c3e423a03f8438d99f5acea6465ac055a
MD5 hash:	8e0fe5bce9b2a9a6e2f83f679d6f1112
humanhash:	item-quebec-magazine-bacon
File name:	9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9
Download:	download sample
File size:	1'712'128 bytes
First seen:	2022-08-03 10:29:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0912741c855bfb82c0bd8b8bb1123f2
ssdeep	49152:OKjwFIZcqZDQ0xzs24wq6Ed5hSKp4LTY/wYNML3:ZBZcV0W2pqrL3/bNm3
Threatray	14'012 similar samples on MalwareBazaar
TLSH	T18F8523C2DE68153BD1735470A84765CDE5B90DE22F6AD4BB03E683DB79712A8E13E203
TrID	33.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.6% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 14.0% (.SCR) Windows screen saver (13101/52/3) 11.2% (.EXE) Win64 Executable (generic) (10523/12/4) 7.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	702225070b8b8695
Reporter	JAMESWT_WT
Tags:	exe Hangzhou Saifan Technology Co. Ltd.

Intelligence

File Origin

# of uploads :

# of downloads :

323

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9

Verdict:

Suspicious activity

Analysis date:

2022-08-03 10:35:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/68c1977f-317b-4720-8a0d-9588ec16459b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296161/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a window

Running batch commands

Creating a process with a hidden window

Launching a process

Launching the process to interact with network services

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ea4e43b7eec6562787db12/reports/8bff6723-85f4-4b53-909e-8a1f897cbdc4/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/218c07f0-ad08-4efe-ac11-17d40e75017b

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1045534

Signature

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2022-05-12 07:09:27 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=t5tf5ah5gceavwfe4wkv3tdrlhif3co3vjur27sncywuakkswtuq._file

Verdict:

unknown

1e857555be92a0e4bfa8c0e5dc5b7b91a08e6daea0036e3bf23d3d3de79e495f

7b483b575f88d063ec7d84405be25d5d29579133e9951e5f7b5e2b0d9632472f

887aae4c40ef5ac852dcb98c50598ae087e21ba02456b35da67365fcfa6fea9b

8ec16e4c4fd0a80322418ea661e4dd3b427f7369078d85f64069588624752bdc

97bd84d68cdb1c875b45f735ab621aed8a0c717e56a7c8337532dabcad5c20a6

9c7feb98fb5804f1f80dd03db1f84a06b68ea6043d2d34ab53edce82b83827b2

ab631126a17db88906bb50154d9f7c064a3fb8d4d2ff29863705786bca72e30f

+ 14'002 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/220803-mjtfqsaah3/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Unpacked files

SH256 hash:

6a9c47055284b30e44cc19205fb05b96f79950068bb8984e41c57bd6c24d0389

MD5 hash:

3c489acee8da55843fa260e601f0282b

SHA1 hash:

ad3d4749f4bd485eb253192cc877c308dc1cff38

Link:

https://www.unpac.me/results/a4e1bd88-4ca8-44cb-ad16-d1eb90eae253/

SH256 hash:

9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9

MD5 hash:

8e0fe5bce9b2a9a6e2f83f679d6f1112

SHA1 hash:

3112266c3e423a03f8438d99f5acea6465ac055a

Link:

https://www.unpac.me/results/a4e1bd88-4ca8-44cb-ad16-d1eb90eae253/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/9f665e80fd30880ad8a4e5955dcc7159d05d89dbaa691d7e4d162d402952b4e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	with_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the presence of an or several urls
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296161/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample