MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae
SHA3-384 hash:	5050fe2c4ec7f4910fdd9df20ea2a0b18e4cf45c505f0e7b49c020b5dc828ac6b0ea271faf66b693b424b3c220ede5b3
SHA1 hash:	7bb78cf0f5a4d88766534d62236832a3f64e3ae0
MD5 hash:	84ae3b1643c4d9c252533524a3170903
humanhash:	saturn-virginia-delta-louisiana
File name:	tenki.exe
Download:	download sample
File size:	7'055'462 bytes
First seen:	2023-06-29 14:26:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0b5552dccd9d0a834cea55c0c8fc05be (16 x LunaLogger, 16 x BlankGrabber, 8 x CrealStealer)
ssdeep	98304:M+zTX4Pf1N2zIh3ET9Y9MxVMOPUh3PdWPEUrJY6AOxbHPS2zh/hQqfvsJ1YPwIu/:MAX4FMIZETKwjPePdrQJ/BNOqAYPL
Threatray	292 similar samples on MalwareBazaar
TLSH	T13F6612C6A7F106A5F72AC03C90E3D48795262CEF1EE495C20E6173699E7364E243AF35
TrID	66.5% (.EXE) InstallShield setup (43053/19/16) 16.2% (.EXE) Win64 Executable (generic) (10523/12/4) 7.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.1% (.EXE) OS/2 Executable (generic) (2029/13) 3.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	4cccb2459631ccc4
Reporter	obfusor
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

321

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

tenki.exe

Verdict:

Suspicious activity

Analysis date:

2023-06-29 14:27:53 UTC

Tags:

installer

Link:

https://app.any.run/tasks/4198d61a-2dba-4774-93f5-32d0c01dee44

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/403800/

Detection(s):

SecuriteInfo.com.HEUR.Trojan-PSW.Python.Agent.gen.8588.26986.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Restart of the analyzed sample

Sending a custom TCP request

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/94144/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control expand greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/649d94b75eae2fa61d80c749/reports/5fcbd89d-9a00-49ee-97e8-57cd9e1e3af8/overview

Verdict:

Malicious

Labled as:

Trojan.Shelm

Link:

https://www.hybrid-analysis.com/sample/a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ad4c089d-c006-473f-b918-dd883b1843e2

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1263325

Signature

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2023-06-29 14:27:07 UTC

File Type:

PE+ (Exe)

Extracted files:

299

AV detection:

7 of 24 (29.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u5rbmbe4xzqvjbk2rppmrq5d2jt42nt6hpv7776dm4qyzcxkxkxa._file

Verdict:

unknown

5d17781561881f8c412498515db843561d6a8971009431f390de99b3a46ec4bc

64a604a8f103b52f36a9f45ba809babfa68ee6d9e052818477d45350051ac499

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8

75016e4ed0580c4b3baa3acdb2c9102eb073749ef91332d91ed982b6551ba870

7ccb7f63df4247bbe86f4c6dcea7ed51a17e0d5eea9843c29d2ef05d8208067e

94d64d00b0aa175cc28ecac33d829a33411cd0cb549018852c0ae82d592f5ec6

9d85f7e7bbce1fc023353548d2bd1a54223370ccc64f073bcd473545aa36f6bc

d2803b97a3cdb1787df9e3bd60818968fecb86bf7eb48bfa51e0757f055b95e4

+ 282 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/230629-rseq6adc73/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Unpacked files

SH256 hash:

a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae

MD5 hash:

84ae3b1643c4d9c252533524a3170903

SHA1 hash:

7bb78cf0f5a4d88766534d62236832a3f64e3ae0

Link:

https://www.unpac.me/results/f592a3cb-f1a2-4457-851b-48b4862d42d4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a76216049cbe6154855a8bdec8c3a3d267cd367e3bebffffc367218c8aeabaae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

Rule name:	SUSP_Imphash_Mar23_3 Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:	Internal Research

Rule name:	upxHook Create hunting rule
Author:	@r3dbU7z
Description:	Detect artifacts from 'upxHook' - modification of UPX packer
Reference:	https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/403800/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample