MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metasploit


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
SHA3-384 hash: 29f8fa25801817c6ebecc1273d9a8f567156ccb887f3ac317768d0372d0110633cd3a82915ae039dc6b658d758c2b3d2
SHA1 hash: 5712a3cd5c72e2cfb648135a97850637ac9c4681
MD5 hash: 1f7f6928534ff002dbe843380d619e45
humanhash: lemon-music-bacon-five
File name:b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
Download: download sample
Signature Metasploit
Create hunting rule
File size:241'088 bytes
First seen:2022-07-18 06:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ee7e3a1fa89bec40bebc3ea9519f17d (1 x Metasploit)
ssdeep 3072:iumnHhDaVB4gUtWbP8cJfpmIFGkyooKrulU2FrfUIfNjfvbBt/Tt:ZmncVB4x4P8cJAn/bU47J1jfDjrt
Threatray 13'383 similar samples on MalwareBazaar
TLSH T18734AD31F76CAD29FA303FBA59B897521C9C70F32B24D326760C766539A53881EBC119
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter JAMESWT_WT
Tags:5Y TECHNOLOGY LIMITED exe Metasploit signed

Code Signing Certificate

Organisation:5Y TECHNOLOGY LIMITED
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2022-03-31T00:00:00Z
Valid to:2023-03-15T23:59:59Z
Serial number: 25ba18a267d6d8e08ebc6e2457d58d1e
Intelligence: 4 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: e59824f73703461c2c170681872a28a9bc4731d4b49079aa3afba1d29f83d736
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
249
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/291480/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/26577/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive greyware obfuscated overlay packed packed shell32.dll
Link:
https://www.filescan.io/uploads/62d5031aef2b0e63a8215aba/reports/fd5248a9-7e02-4ba0-94ee-dae14bd92d9e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0ea941a1-edfe-4b08-ad8b-6cb24fa08cca
Result
Threat name:
Metasploit
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1035526
Signature
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Metasploit Payload
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 668021 Sample: MzTHF8vJ54 Startdate: 18/07/2022 Architecture: WINDOWS Score: 76 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected Metasploit Payload 2->30 32 Machine Learning detection for sample 2->32 8 MzTHF8vJ54.exe 2 3 2->8         started        11 drm.exe 1 2->11         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\drm.exe, PE32 8->26 dropped 13 drm.exe 3 8->13         started        16 conhost.exe 8->16         started        18 conhost.exe 1 11->18         started        process5 signatures6 34 Multi AV Scanner detection for dropped file 13->34 20 drm.exe 13->20         started        22 conhost.exe 13->22         started        process7 process8 24 WerFault.exe 23 11 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6/
Threat name:
Win32.Trojan.RegistryStorage
Create hunting rule
Status:
Malicious
First seen:
2022-07-05 09:42:48 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wx7jv5usebplzbtylh3qazyswnfvyrjs4cevqqognufoxoem77da._file
Verdict:
malicious
Similar samples:
09ad72ac1eedef1ee80aa857e300161bc701a2d06105403fb7f3992cbf37c8b9
Metasploit
14096f9b01306019cb0f790402eab8be314a1332b6d9cdb0ccf35c56aed175b7
Metasploit
315045e506eb5e9f5fd24e4a55cda48d223ac3450037586ce6dab70afc8ddfc9
Metasploit
4c6db804a366a11a3321f87543f03c45e1785fed75a1c5e21ce39b658f6bb5bd
Metasploit
6c827d61cbe6d4b9c2851c1c234353265188e805cc27ebe195b9133e1f8fcc80
Metasploit
b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2
Metasploit
c2c66ec47fc9c969de74cbb8ae050243e5c51e8033811cb04bd3b975d0037d1b
Metasploit
cfa1ef201a4dec456d4d6ffddc96267fcbf212f45616223fc8b3c675639f055b
Metasploit
+ 13'373 additional samples on MalwareBazaar
Result
Malware family:
metasploit
Create hunting rule
Score:
  10/10
Tags:
family:metasploit backdoor trojan
Link:
https://tria.ge/reports/220718-hmg5naabc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
MetaSploit
Malware Config
C2 Extraction:
10.30.4.18:5555
Unpacked files
SH256 hash:
4b9f9edfaa46873f1e1eebd85a8f888e1bb3cbc9adf5e913e9be3adc7a5de5cb
MD5 hash:
6dac8ffe230df884478710d2feeb7064
SHA1 hash:
1b52ad9542379384f43d765f73cca7b995daeeb8
Link:
https://www.unpac.me/results/a23e0962-ead8-4f16-a6c4-1e0075479ddc/
SH256 hash:
34f9e419fb100159fe4ba56f14303b8cad67a95d31f3898fd18afe0b68892432
MD5 hash:
ace367c7fc8440cfbcab69f9e93b1c0f
SHA1 hash:
9506d2177d99a4c77edd15edcd41b2c2dbdad2b1
Detections:
win_whispergate_auto
Create hunting rule
Link:
https://www.unpac.me/results/a23e0962-ead8-4f16-a6c4-1e0075479ddc/
SH256 hash:
f4a497679ee09feba989312f89cc53f7aa737cace1408c09e21bdd722d9bd33c
MD5 hash:
cf0926825be464b3942b6890f1c6bfcb
SHA1 hash:
fed9a994697f4214a341e46b3ebd259532b38d0e
Link:
https://www.unpac.me/results/a23e0962-ead8-4f16-a6c4-1e0075479ddc/
SH256 hash:
b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6
MD5 hash:
1f7f6928534ff002dbe843380d619e45
SHA1 hash:
5712a3cd5c72e2cfb648135a97850637ac9c4681
Link:
https://www.unpac.me/results/a23e0962-ead8-4f16-a6c4-1e0075479ddc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/b5fe9af692205ebc867859f7006712b34b5c4532e0895841c66d0aebb88cffc6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/291480/

Comments