MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4
SHA3-384 hash: ee8a8b19873615ac56eed995c7d2000312e0471efe0fdbac5eaa1263d79a2f505ab5c6cc0af544b9e71c53f21467608c
SHA1 hash: 6e3280fa3953ac2b42c9f2002b0a8188c2742f25
MD5 hash: 4d12325765be0951b3d05237dd68b3f8
humanhash: georgia-vegan-william-nuts
File name:SecuriteInfo.com.Win64.TrojanX-gen.21336
Download: download sample
File size:17'437'928 bytes
First seen:2022-09-27 08:18:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d54db7fa2e518e83dc2999e4a3a4172
ssdeep 98304:+JufaicMur3WcO4CDF45VDEbh72MElxtCu/qIYanzLxNDlJK6rWs1tyFRucs:+JFiYxCJ45u17JE/IQYOzV5lUFs6Kcs
Threatray 36 similar samples on MalwareBazaar
TLSH T1DF076B07F58190E5D4AED170CA26D272BA303C485B6027D73BA1BAB92F32BD46F79354
gimphash 532395eb3a934c552203e9621df1b9756e9995a24bb80d5a682a680e12e65a38
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 458696d4ccba8a00 (1 x Sality)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:www.finished.com
Issuer:www.finished.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-23T13:40:52Z
Valid to:2023-09-23T14:00:52Z
Serial number: 13f40ac8e13ad581401c422488003ea0
Thumbprint Algorithm:SHA256
Thumbprint: e5f0ef2eb1f7a9e4b482457a59d25523958c6e816855c0c84f370d6207c2c0a5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
lrPBx4qjVQLL_9.exe
Verdict:
Malicious activity
Analysis date:
2022-09-27 05:02:35 UTC
Tags:
loader stealer
Link:
https://app.any.run/tasks/3f29026e-d8ea-4510-9f9a-bc7c6d5572ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.TrojanX-gen.21336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Changing a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6332b1fc9cd210adb55ca56c/reports/9e7da5a7-6d96-4b54-b8ce-f60dbadf953c/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66a4feb8-c836-43bd-b833-5d86425e645c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1078148
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdxxtbph4au4n5tn3blrk2gqkpa2mw25je2vhoza7luii2t24lsa._file
Verdict:
unknown
Similar samples:
185162ce404a5fa9310340b9c39516ab09073c1460dfc1dd066541c1756563a4
3e755f19a2b5cff69e104ab1058776f00fb63defb5de012e7be20371cfd77598
41b141e122bd86a5c4279094916564759cc342ae3b95fffd80af4b9676aa61b7
4450df031fa2a81d17c5278b0542aabe3b05c0ad0d7e103c1fe8121b61a9ec65
82112a8c76d6bab37acadc1e1a113e43b6dc966f48b9f2a0cc8fdbd844ee2f7a
d576e059f376adc56b3ad3e62b5a808c26b6f70dfc50e10e4cd3b6eacfc5a2ea
dc7eab933986b8ff95bd88eff8d925ff1311c451ca1f88e1fd96eee10714ded2
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/220927-j7vrxschh4/
Behaviour
GoLang User-Agent
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f42ac7d4-cc20-4a1f-8d1d-310642d0138a
Unpacked files
SH256 hash:
a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4
MD5 hash:
4d12325765be0951b3d05237dd68b3f8
SHA1 hash:
6e3280fa3953ac2b42c9f2002b0a8188c2742f25
Link:
https://www.unpac.me/results/5fec184c-03da-4110-a1c2-d5b2dab00473/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8ef7985e7e0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.29
Link:
https://yomi.yoroi.company/submissions/a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a8ef7985e7e029c6f66dd8571568d053c1a65b5d493553bb20fae8846a7ae2e4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2314946/
  
Delivery method
Distributed via web download

Comments