MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794
SHA3-384 hash: f91841a89c0f0c2c11f115c8887c23f13add87125cd0b57f04f171ccfdc9222c1d8293448836902d6517b2c0422c20e7
SHA1 hash: 99b8c3e115b9b80203f31f3f63e9127d681b7c95
MD5 hash: 61a6bf9fcf9d893068d555de40be865a
humanhash: magnesium-rugby-bluebird-glucose
File name:af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794
Download: download sample
File size:9'205'590 bytes
First seen:2022-07-22 11:36:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1e92fd54d65284238a0e3b74b2715062 (21 x Empyrean, 4 x Gh0stRAT, 4 x Telemiris)
ssdeep 196608:5tLaAXUF2EAEmvdsCncW4njQthsiHzmvU3pa6Pao7kfhENytLZJGd3hyE:XxQ2EMvaCncbnKhsZGpa637zWjG
Threatray 23 similar samples on MalwareBazaar
TLSH T1E39633C4E68004E4EC2AA7399936CD3582237CB85A34955F17DD7E373FBB2E26839542
TrID 66.5% (.EXE) InstallShield setup (43053/19/16)
16.2% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
3.1% (.EXE) OS/2 Executable (generic) (2029/13)
3.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
303
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794
Verdict:
Malicious activity
Analysis date:
2022-07-22 11:38:44 UTC
Tags:
installer stealer
Link:
https://app.any.run/tasks/81fbc03e-f97f-47e6-af78-03de26d3edeb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293389/
Detection(s):
SecuriteInfo.com.Trojan.Agent.Script.1713931.10438.20114.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Reading critical registry keys
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/27048/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed python wacatac
Link:
https://www.filescan.io/uploads/62da8c70ee649612ac612185/reports/31debf17-805e-4c1c-8834-cd97bdb4af78/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4735bc7a-5edf-41c3-be73-29a8a9d9f64c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1039195
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-07-20 08:34:06 UTC
File Type:
PE+ (Exe)
Extracted files:
470
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6biu6v7jszr27qswwroixuz4uaj6pe7ltx6a5qpucvyqd3ee6ka._file
Verdict:
unknown
Similar samples:
0c4053cd19c412ce31dcc933a512da0e5fb9433e6b7d69851d1289d4ce2e59b9
0df6eca30071051714c4d1b5bd16e11feb7a76ab208c907771d0dd470d91ab07
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
414d8e74cdb96fe1e8742018494be41cdebd5c11804a30a7876a5bcd7bf01764
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
63499ea2f5bb554931547eb8cda06ce7e862a0c81ab68ba42b71a722fa2fc853
6e86ad43d7677a7d9a81ac9dd17df97703dfb49ee4456601b4fa2edd518ce0e5
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller spyware stealer
Link:
https://tria.ge/reports/220722-nq5m1sehd5/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794
MD5 hash:
61a6bf9fcf9d893068d555de40be865a
SHA1 hash:
99b8c3e115b9b80203f31f3f63e9127d681b7c95
Link:
https://www.unpac.me/results/1532fc78-8035-443a-82a2-62a8f279f7a9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af828a7abf4cb31d7e12b5a2e45e99e5009f3c9f5cefe0760fa0ab880f642794

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/293389/

Comments