MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c
SHA3-384 hash: 3786c5eadc9a1720e318815d0c720363a44cf9ee207b70a9dfebac7bb4dbd7ea5f2228031eb45cafc8afa8394d82e55c
SHA1 hash: 89213f63fae341871dc6cadf3d1cdda9679a7382
MD5 hash: f04f49cf0fac776cecde254b5b8e3b75
humanhash: march-muppet-beryllium-low
File name:file
Download: download sample
File size:1'797'127 bytes
First seen:2023-03-07 12:38:48 UTC
Last seen:2023-03-07 14:59:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:djSYsFy7sr5FlMFHPi3OgwF9l6g8Qj6gpcyqf23dpeeCXr77RK75L77P:dOYsFy7sr5j4dhjnl/s
Threatray 273 similar samples on MalwareBazaar
TLSH T16885CE716BC4FB21CC6823F2369B677403F545AD80A1EB0B6F49AEB16C168953B4B44F
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 00f8baace4accc00
Reporter jstrosch
Tags:.NET exe MSIL X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-07 12:40:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87297a4c-5eb3-4702-bc15-5515a6a5802c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372237/
Detection(s):
SecuriteInfo.com.Variant.Tedy.304892.12250.5218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6407306d67ca02bce170ad2e/reports/48cf8c76-e903-4a7f-a23f-6d8d74d6b611/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c1473de-7e4a-478c-86e3-31e639f4b513
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1188536
Signature
Connects to many ports of the same IP (likely port scanning)
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 821416 Sample: file.exe Startdate: 07/03/2023 Architecture: WINDOWS Score: 96 36 helloworld123.zapto.org 2->36 38 raw.githubusercontent.com 2->38 40 github.com 2->40 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected MSILDownloaderGeneric 2->52 54 Machine Learning detection for sample 2->54 56 3 other signatures 2->56 8 jopir.exe 3 2->8         started        12 file.exe 6 2->12         started        signatures3 process4 dnsIp5 42 helloworld123.zapto.org 79.134.225.99, 44810, 44820, 49708 FINK-TELECOM-SERVICESCH Switzerland 8->42 60 Multi AV Scanner detection for dropped file 8->60 62 Machine Learning detection for dropped file 8->62 64 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->64 66 Encrypted powershell cmdline option found 8->66 15 powershell.exe 14 17 8->15         started        30 C:\Users\user\AppData\Local\...\jopir.exe, PE32+ 12->30 dropped 32 C:\Users\user\...\jopir.exe:Zone.Identifier, ASCII 12->32 dropped 34 C:\Users\user\AppData\Local\...\file.exe.log, CSV 12->34 dropped 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->68 file6 signatures7 process8 dnsIp9 44 cdn.discordapp.com 162.159.133.233, 443, 49710 CLOUDFLARENETUS United States 15->44 46 192.168.2.1 unknown unknown 15->46 26 C:\Users\user\AppData\Local\Temp\njkns.exe, PE32+ 15->26 dropped 48 Powershell drops PE file 15->48 20 njkns.exe 2 15->20         started        24 conhost.exe 15->24         started        file10 signatures11 process12 file13 28 C:\Users\user\AppData\Roaming\njkns.exe, PE32+ 20->28 dropped 58 Machine Learning detection for dropped file 20->58 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c/
Threat name:
Win64.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2023-03-07 00:42:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
15 of 25 (60.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t73rwyz4sr4ufvnswt75ydtxdspbm6xbz4d5yetm5lgn6serv2oa._file
Verdict:
malicious
Similar samples:
0e26bbb3236e15e0ba06e697c49c89d2b23f203d59e593b284221d1f431f73af
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
45bb069a3ebb02281ce014ef985f3c31f1186c086d331adbe3f07950aaa5ed8f
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
5e6776ba02afa4c03138edcdf1e10dabee3efd6afd1620dcdb3138e7632bcb79
a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
b2e31ed9833299ec3c166877db92ff5d477858f5867ca5494b26a82558e4616e
f15bf4c786172149ed0b9e57b08c695b01095b9167de714ea61768f021ae9ff0
+ 263 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230307-pvm47shd5t/
Behaviour
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Unpacked files
SH256 hash:
9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c
MD5 hash:
f04f49cf0fac776cecde254b5b8e3b75
SHA1 hash:
89213f63fae341871dc6cadf3d1cdda9679a7382
Link:
https://www.unpac.me/results/cd67b504-755c-4c93-b366-36f30426672c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9ff71b633c947942d5b2b4ffdc0e771c9e167ae1cf07dc126ceaccdf4891ae9c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/372237/

Comments