MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c
SHA3-384 hash: 907d3f45910bb0e71ff3d69eda2843226c6d447002f869a40a1c6329ea656c2124cfb4ac74f7e17d704bab49a2d617f3
SHA1 hash: f6bf7cf9374dcbf9bf071511a04442ae514519fe
MD5 hash: 8095665fcc4c048b4710e0de4f17a7cb
humanhash: pip-nineteen-aspen-mountain
File name:file
Download: download sample
File size:12'665'856 bytes
First seen:2023-03-09 21:47:23 UTC
Last seen:2023-03-09 21:47:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:sgF3ZyqzxbAQvaNJm3AqowejuJDUX47dwdW0tnFwB2nT7vYPJSuI2wlH:pFJyyxy/m3poaUX47d4VnNHeU
Threatray 167 similar samples on MalwareBazaar
TLSH T123D63385B2F008F5D8759235D981D97097BAF836077496CF9388427B2F33AD0A877E26
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
236
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-09 21:50:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23a8a27c-c471-4b84-b870-52cecfbddb29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373165/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
63%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/640a54173774707c2639af3b/reports/91470616-f05d-4c4a-b4a5-eb10f32a8d0f/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9b7328d4-ede8-4dd0-aa7b-f14fa3b9f1fa
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1190801
Signature
Found potential ransomware demand text
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 823677 Sample: file.exe Startdate: 09/03/2023 Architecture: WINDOWS Score: 84 57 Multi AV Scanner detection for submitted file 2->57 59 Machine Learning detection for sample 2->59 61 Found potential ransomware demand text 2->61 9 file.exe 4 2->9         started        process3 file4 41 C:\Users\user\...\eNTptHaTCOhoCfWE.exe, PE32+ 9->41 dropped 43 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->43 dropped 45 C:\Users\user\AppData\Local\...\registers.exe, PE32 9->45 dropped 12 eNTptHaTCOhoCfWE.exe 72 9->12         started        process5 file6 47 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 12->47 dropped 49 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 12->49 dropped 51 C:\Users\user\AppData\...\win32security.pyd, PE32+ 12->51 dropped 53 65 other files (none is malicious) 12->53 dropped 63 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->63 65 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 12->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->67 69 4 other signatures 12->69 16 eNTptHaTCOhoCfWE.exe 6 12->16         started        signatures7 process8 dnsIp9 55 192.168.2.1 unknown unknown 16->55 19 cmd.exe 1 16->19         started        21 cmd.exe 1 16->21         started        23 cmd.exe 1 16->23         started        25 167 other processes 16->25 process10 process11 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        37 conhost.exe 25->37         started        39 164 other processes 25->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2023-03-09 19:48:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
1396
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u5deo6fa2ueazdgcxesdkshj3nfmnrqk66kmj22tnrs55f3c5ega._file
Verdict:
malicious
Similar samples:
270ee2e5c9f28b36a54747a4ff3a23a758cd555334b6aed7b70d437b0b5db7cf
5e10ebc93952475c75c3c489ccdf4631faadfbabf7788104b4a96138aecc9ebb
5fe32142dcc57fbdf2a827abcbf92f22d0e6b84aeb1d94f7a3c1c9f674d7567b
afca37e4b44aced677169e1e1b898cb49a2d689f8322e6e824f97ca9a5d49443
b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69
ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458
ccc9894ae7557a69148494ded97c5e496b6729022eaa1c62e1bd1ad71cf07d84
d45a1b5534537ec33ee203c046c53759b43cad93541793888b61f1371d3a8a2d
eb9445e9be4d04ce2f6248e43d0cd912b157ca36ee8da123430f94d8609c219b
+ 157 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230309-1nsa5acb3w/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
348f47aa5448e5135adc5a4232f3f1b69eb93d83227dd9ab0e060476c7c544bc
MD5 hash:
c23f914f54bdfdbb4189ddabdebec70d
SHA1 hash:
8c6a72c231ba921f121c6d13e15f023697ddf045
Link:
https://www.unpac.me/results/b61628b8-03ad-4e9d-9bf9-8b456c8744bd/
SH256 hash:
a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c
MD5 hash:
8095665fcc4c048b4710e0de4f17a7cb
SHA1 hash:
f6bf7cf9374dcbf9bf071511a04442ae514519fe
Link:
https://www.unpac.me/results/b61628b8-03ad-4e9d-9bf9-8b456c8744bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a7464778a0d5080c8cc2b9243548e9db4ac6c60af794c4eb536c65de9762e90c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2559923/
Cape
Cape
https://www.capesandbox.com/analysis/373165/

Comments