MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59
SHA3-384 hash: 6fff6227598f0c572c5cb217753f3601a07626324013592182dafd8453c6efc6a90e1ff5fdc983076febc715e93534c4
SHA1 hash: 748f3317b1dd391363c50bcc47220f3496c300a4
MD5 hash: 7e6afbbf4fb9e85efa3d9878d3fc132c
humanhash: johnny-london-dakota-stairway
File name:b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59
Download: download sample
File size:395'776 bytes
First seen:2021-10-28 10:35:33 UTC
Last seen:2021-10-30 05:22:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1305a15580dc16b03705958fda0bd246
ssdeep 6144:Ebp2kyWcPB8eDG9VKyFsUGuLKmFvLD88RGNo+ubNgo/35edglOX0YRTNR:J+eDAMwdhHvLD81sNgmlOkg
Threatray 16 similar samples on MalwareBazaar
TLSH T193847C4677A48CB6D82E9279CA538F4AD7B2BC114771C36F4360A35E5F333A15C2932A
File icon (PE):PE icon
dhash icon 71b119dcce576333 (3'570 x Heodo, 203 x TrickBot, 19 x Gh0stRAT)
Reporter JAMESWT_WT
Tags:94.140.112.183 exe lsvhy

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59
Verdict:
Malicious activity
Analysis date:
2021-10-28 10:36:18 UTC
Tags:
installer
Link:
https://app.any.run/tasks/ad0dd11c-3bad-4eb2-bdf3-94b53d869918

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/200892/
Detection(s):
SecuriteInfo.com.Win64.Kryptik.CRV.27886.14509.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware keylogger packed
Link:
https://www.filescan.io/uploads/617a7d169a5a1e91c5d99a14/reports/8cb773fe-1ff3-4b6a-826c-b13a4be10ec7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/08d98f2d-d6d5-4e07-b8c6-a1eeeb5c78f8
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/878501
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510932 Sample: MdVNNK1Gap Startdate: 28/10/2021 Architecture: WINDOWS Score: 84 88 Multi AV Scanner detection for submitted file 2->88 90 Sigma detected: UNC2452 Process Creation Patterns 2->90 13 loaddll64.exe 1 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 process4 19 rundll32.exe 13->19         started        21 cmd.exe 1 13->21         started        24 rundll32.exe 13->24         started        26 rundll32.exe 13->26         started        signatures5 28 cmd.exe 1 19->28         started        92 Uses ping.exe to sleep 21->92 94 Uses cmd line tools excessively to alter registry or file data 21->94 96 Uses ping.exe to check the status of other devices and networks 21->96 30 rundll32.exe 21->30         started        process6 process7 32 rundll32.exe 28->32         started        34 conhost.exe 28->34         started        36 choice.exe 1 28->36         started        process8 38 cmd.exe 1 32->38         started        41 cmd.exe 1 32->41         started        signatures9 98 Uses ping.exe to sleep 38->98 43 rundll32.exe 38->43         started        46 PING.EXE 1 38->46         started        49 conhost.exe 38->49         started        100 Uses cmd line tools excessively to alter registry or file data 41->100 51 reg.exe 1 1 41->51         started        53 conhost.exe 41->53         started        process10 dnsIp11 104 Writes to foreign memory regions 43->104 106 Modifies the context of a thread in another process (thread injection) 43->106 108 Injects a PE file into a foreign processes 43->108 55 chrome.exe 12 43->55         started        58 cmd.exe 1 43->58         started        61 cmd.exe 1 43->61         started        86 127.0.0.1 unknown unknown 46->86 110 Creates an autostart registry key pointing to binary in C:\Windows 51->110 signatures12 process13 dnsIp14 84 159.223.27.224, 443, 49686 CELANESE-US United States 55->84 63 cmd.exe 1 55->63         started        66 cmd.exe 1 55->66         started        102 Uses cmd line tools excessively to alter registry or file data 58->102 68 reg.exe 1 58->68         started        70 conhost.exe 58->70         started        72 conhost.exe 61->72         started        74 reg.exe 1 61->74         started        signatures15 process16 signatures17 112 Uses cmd line tools excessively to alter registry or file data 63->112 76 conhost.exe 63->76         started        78 reg.exe 1 63->78         started        80 conhost.exe 66->80         started        82 reg.exe 1 66->82         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59/
Threat name:
Win64.Trojan.Bazar
Create hunting rule
Status:
Malicious
First seen:
2021-10-28 01:29:01 UTC
AV detection:
9 of 27 (33.33%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0793547b9e20fcb33a61abf134a8ffad5967d58377fc432f2a1c4d9ce46aa15e
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
314449ff757b308d440796441176566d3a6c17522dd75a8b24b70aab80458065
4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
508a816001e6d2f7b6617d9009e97c533d02d366055dad4eb17a9ee38915fa4b
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
95347bea5432c09cc216f5db771b956eb78a43139789036af9446139967b1c7f
e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211028-mm81lacbb9/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59
MD5 hash:
7e6afbbf4fb9e85efa3d9878d3fc132c
SHA1 hash:
748f3317b1dd391363c50bcc47220f3496c300a4
Link:
https://www.unpac.me/results/b3958875-5643-4953-80fc-7529307fc4a6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200892/

Comments