MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6
SHA3-384 hash:	c7ba36f10c7c6ddf23574fb1df6bde5607e6ff6cf69e6a84dc4c8bc0b5e198916c2c0006bb79d64353e05459ff7ee99e
SHA1 hash:	6d445471765189a19d6245210f81652b7d89c93e
MD5 hash:	5b63cda540b81c5a1356209083567cb5
humanhash:	black-fruit-six-kitten
File name:	SecuriteInfo.com.Trojan.MulDrop19.61811.25281.28043
Download:	download sample
File size:	1'051'936 bytes
First seen:	2022-03-21 18:14:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b2955b470572ea88891dd6aa35eb0db6
ssdeep	24576:fbsqvdjGxsPpbfPu9IAxFwYdvOtzPJUfkDOnPQb2I:fIcjq6pbfPu9X+uOOkf
Threatray	35 similar samples on MalwareBazaar
TLSH	T12B25F1543F8CEFB9F29EA4F420786584C8976E990AF24024EF3F7095937EF45BA4A114
File icon (PE):
dhash icon	aa86b2b2e8ccf08e
Reporter	SecuriteInfoCom
Tags:	exe signed

Code Signing Certificate

Organisation:	Woodstock EU
Issuer:	Woodstock EU
Algorithm:	sha1WithRSAEncryption
Valid from:	2020-10-01T10:00:03Z
Valid to:	2030-10-02T10:00:03Z
Serial number:	16c4e9c5ee6979904435620f03665403
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	8a92d71ac7c65e4a3b8e7235646bf4a4c06780971ed1a60c756c91a04bcb4405
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

http://file-coin-coin-10.com/files/5402_1647207476_7362.exe

Verdict:

Malicious activity

Analysis date:

2022-03-15 04:19:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/7fd92594-0562-4baf-be37-32a71029cc20

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/253736/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop19.61811.25281.28043.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Searching for analyzing tools

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Launching a process

Creating a process from a recently created file

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

clipbanker greyware overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/6238c0b0b94fb38cb4c5d3fd/reports/dec9d1e5-79c8-4025-b2a6-44d842bcc95c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Vidar

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2056c87e-afbf-4247-a9f2-26b6a1525b3d

Result

Threat name:

Clipboard Hijacker

Detection:

malicious

Classification:

spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/961209

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to compare user and computer (likely to detect sandboxes)

Found evasive API chain (may stop execution after checking mutex)

Hides threads from debuggers

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Clipboard Hijacker

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6/

Threat name:

Win32.Trojan.Tnega

Status:

Malicious

First seen:

2022-03-14 06:45:30 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

28 of 42 (66.67%)

Threat level:

5/5

Verdict:

malicious

278ca7471b97ea8a649958dce92862dbb71659d1c89fa67a600cabb2e36daaff

387508d9f7c0d79b09bde31b037d1c43ceb1ce799a0cc94a77a20226477b47f7

768252369536d1e56aad57c5015925ec464642d13d76468db72e60f9ac4e1a54

81d263a31fc8b6fe2e2db250efd4314912eb09a11027a6cfc67257d7fa5e071a

+ 25 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220321-wvxrzahgcm/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Executes dropped EXE

Unpacked files

SH256 hash:

af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6

MD5 hash:

5b63cda540b81c5a1356209083567cb5

SHA1 hash:

6d445471765189a19d6245210f81652b7d89c93e

Link:

https://www.unpac.me/results/3a520db0-5438-41a7-9cec-ba6fb064d816/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe af7bcb32cd16f313a65bddd6d04506346ad600c9971eb38760a634c3f2a3c5d6

(this sample)

Cape

https://www.capesandbox.com/analysis/253736/

URLhaus

https://urlhaus.abuse.ch/url/2109343/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample