MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448
SHA3-384 hash: 85216801ea43b6bf187fa0b90c7d7f389e355c8000d5f876d82cf0c4b6dde4afea3c2eb344f612cbf625a54a65a0eaa6
SHA1 hash: 84c44e9446097475559c34567af014cb50a5bf93
MD5 hash: fa0b89043edf03a3e3c27f0ad56114ea
humanhash: alaska-fruit-fix-ceiling
File name:winpro.exe
Download: download sample
File size:773'592 bytes
First seen:2021-09-27 14:56:23 UTC
Last seen:2021-09-27 19:31:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 63b82f4e52bdc0ca36b88701c436108d (2 x AsyncRAT)
ssdeep 12288:xEO2OYzW3RbnYxGtGnYxGtX0i5t7KY2JaGNK6laMSWcyoiY+Y683h:b25zW3Ro05gSeiY+V4h
Threatray 1 similar samples on MalwareBazaar
TLSH T15AF40226A224C4B2DEBD44B01C91BE779A295C305DD1FC2FAE487E5C6876F67810A337
File icon (PE):PE icon
dhash icon 1003873d31213f10 (142 x DarkCloud, 132 x GuLoader, 35 x a310Logger)
Reporter info_sec_ca
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://176.123.2.79/upload/winpro.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-22 06:27:26 UTC
Tags:
opendir loader
Link:
https://app.any.run/tasks/8c762ed3-1217-40cd-a012-1933468e1721

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192169/
Detection(s):
SecuriteInfo.com.__vbaHresultCheckObj.21996.7080.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bd073e44-8bf7-4a56-97b2-1181c60a2e39
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/859091
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential malicious icon found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491518 Sample: winpro.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 96 64 Potential malicious icon found 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 70 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->70 8 winpro.exe 1 2 2->8         started        12 Player.exe.exe 2->12         started        14 Player.exe.exe 2->14         started        process3 file4 60 C:\Users\user\AppData\...\Player.exe.exe, PE32 8->60 dropped 76 Detected unpacking (changes PE section rights) 8->76 78 Detected unpacking (overwrites its own PE header) 8->78 80 Injects a PE file into a foreign processes 8->80 16 winpro.exe 26 8->16         started        82 Machine Learning detection for dropped file 12->82 21 Player.exe.exe 12->21         started        23 Player.exe.exe 14->23         started        signatures5 process6 dnsIp7 62 voltaire-overproduction-bordering.cc 45.9.150.80, 49745, 49750, 80 NICEITNL Netherlands 16->62 48 C:\Users\user\AppData\Roaming\...\unzip.exe, PE32 16->48 dropped 50 C:\Users\user\AppData\Local\...\unzip[1].exe, PE32 16->50 dropped 72 Tries to harvest and steal browser information (history, passwords, etc) 16->72 74 Installs a global keyboard hook 16->74 25 cmd.exe 1 16->25         started        27 cmd.exe 2 16->27         started        29 cmd.exe 1 16->29         started        31 cmd.exe 1 16->31         started        file8 signatures9 process10 process11 33 unzip.exe 13 25->33         started        36 conhost.exe 25->36         started        38 PsInfo64.exe 1 1 27->38         started        40 conhost.exe 27->40         started        42 7za.exe 502 29->42         started        44 conhost.exe 29->44         started        46 conhost.exe 31->46         started        file12 52 C:\Users\user\AppData\...\vcruntime140.dll, PE32 33->52 dropped 54 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 33->54 dropped 56 C:\Users\user\AppData\...\softokn3.dll, PE32 33->56 dropped 58 9 other files (none is malicious) 33->58 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448/
Threat name:
Win32.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-09-22 03:48:14 UTC
AV detection:
28 of 45 (62.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
a4683800b5fc921a84ccb36a7fbd5bc003d558a5eef961d97348b3cbb7891155
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210927-sblzkshcfq/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
2455b9a1ae7a11d307793b07a31cc13e00d07fea7cc5c64137a4691e17afaa2c
MD5 hash:
8a73987f30801e40678a923960f540a8
SHA1 hash:
7ba1e96a02a820df212a3c6ccce3349e513fec9b
Link:
https://www.unpac.me/results/e7a39af8-55f4-4cec-b8db-ae13f4ddac52/
SH256 hash:
25ebfc263ba86ac60871de364098cd2ea951c463f7f867c54653337996b87aef
MD5 hash:
38692b1eb3213ccdc83fdb2da737bc72
SHA1 hash:
67d3872272bec3cda50dbebd42bb691e6b0e8c63
Link:
https://www.unpac.me/results/e7a39af8-55f4-4cec-b8db-ae13f4ddac52/
SH256 hash:
9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448
MD5 hash:
fa0b89043edf03a3e3c27f0ad56114ea
SHA1 hash:
84c44e9446097475559c34567af014cb50a5bf93
Link:
https://www.unpac.me/results/e7a39af8-55f4-4cec-b8db-ae13f4ddac52/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9f8d67fdc1473c31193fb36e7ca37005c9af1c4052f8944c42f4eb0ba6188448

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/192169/
  
URLhaus
https://urlhaus.abuse.ch/url/1645623/
  
Delivery method
Distributed via web download

Comments