MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
SHA3-384 hash: d61d236fdf40fff11f112f5353f30a8f3fdfc8b14756d1aade0011ea08a2f6ce648971ee3b2247bfbc1b1c857dca6312
SHA1 hash: f9f7cb5ce46461a2ee9b7353ff768a04738a55a2
MD5 hash: 1c0cd7c46199da37d5f4910a6322da90
humanhash: robin-hydrogen-december-lemon
File name:1c0cd7c46199da37d5f4910a6322da90
Download: download sample
File size:1'547'296 bytes
First seen:2023-02-20 11:34:58 UTC
Last seen:2023-02-20 13:32:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4a43ef13050d45ae61812b2997033821 (2 x GCleaner, 1 x SystemBC, 1 x Rhadamanthys)
ssdeep 24576:dFdHMCfUktBOKQm2h1L27l20PjhqmhCvgu167qqyG2aQQ6C/jvOGMQHc2cPNtQlL:9sktcS0KKBGAQZ7mG3lROqKD27Lz
Threatray 195 similar samples on MalwareBazaar
TLSH T11F65D0CB00161DF2C101CAFDF7E6B0A09CDB6A60ED1189F51286E4AFDDD6ADCA87544E
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f5d8f4ccccf0f050
Reporter zbetcheckin
Tags:32 exe signed

Code Signing Certificate

Organisation:arrow.com
Issuer:DigiCert TLS RSA SHA256 2020 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-08-30T00:00:00Z
Valid to:2023-08-30T23:59:59Z
Serial number: 0439fccde6e543f464d789cff8fe024b
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 4a7804fb988c5dc61d03afda2634e67c50a43dd0885bed069ce4165febed9bdd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1c0cd7c46199da37d5f4910a6322da90
Verdict:
Malicious activity
Analysis date:
2023-02-20 11:39:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4352eb1-a6af-44cc-a578-d6f6c86e1453

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/368396/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.27128.2686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/71830/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckScreenResolution
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f35ae842bf85850e3e44ad/reports/41d986e5-93a1-4ccc-8e26-64711c4e1f1c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f4cfdbc-7f2c-41a4-b756-a8800cc71c32
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1179146
Signature
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Yara Genericmalware
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-20 11:35:09 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vebenfyu5qls47jp3ziu4bmgodzb3cs5xkesih6u6pgmeo5pikea._file
Verdict:
malicious
Similar samples:
06417fde2af515dc4ac553b1cdd8ffb45158fcc4369de364a759a4146b3488be
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
1da07ff2b1056ddc31c2fa6bb522b5dba68b41d6a9cbd637d0b08edbeee57804
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
3d538725fd27edb771e7e5c07a11508d7363dc6f0bdb438240bd34eae746aeed
599fa7fc07b1b8265ea936ce641733fcec03eb0fe8cc4822e5a752b6629e216e
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
74930b91b8999d03db3840b121fc52d0f5fb6d4b9158b950a5e869aa84a431f2
d4227ec9dd2159223342099e0ed7d55c0691fe677ab2fc513c149a137e50ced8
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
+ 185 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230220-npz15sac3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
1d8ca51dc227ef7b158214b222afa356118519674ddface5a6490a3c0a8097f6
MD5 hash:
ffb0d543bcb99d613e834c3ac8b8a787
SHA1 hash:
632311219d29acfd74a62f3c6da78377079e0c22
Link:
https://www.unpac.me/results/03656e75-e73c-4cd5-bfc8-121564edf710/
SH256 hash:
a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
MD5 hash:
1c0cd7c46199da37d5f4910a6322da90
SHA1 hash:
f9f7cb5ce46461a2ee9b7353ff768a04738a55a2
Link:
https://www.unpac.me/results/03656e75-e73c-4cd5-bfc8-121564edf710/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/368396/
  
URLhaus
https://urlhaus.abuse.ch/url/2545704/

Comments


Avatar
zbet commented on 2023-02-20 11:35:01 UTC

url : hxxp://77.91.84.92/3YXeKmIFGXNC.exe