MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123
SHA3-384 hash:	83fc4db860711e0146216644374bee121f670664e804ba842548dde7ff571d1815d57421834d48de479031d1fd9f6b4e
SHA1 hash:	a6b4fda0e4ab8137b6e8cdfea85ba66ff4b11b4b
MD5 hash:	b749832e5d6ebfc73a61cde48a1b890b
humanhash:	queen-princess-river-nitrogen
File name:	setup.exe
Download:	download sample
File size:	721'408 bytes
First seen:	2021-04-10 13:52:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	821bcaaa938f2cb9f56fbc1d4f9ddc4b
ssdeep	12288:Qe/S3sCPfhmxjjpmt0OlIheYbJAvSq8ZlUfMcZMSIP/LWvHR+NN8xTm/+jK02:NeSot0jTFAvS7ZufMcZMT/6p+NqG+l
Threatray	8 similar samples on MalwareBazaar
TLSH	45E4BF23F5D28076D47310304569BB364EBEFA210535CEAB63D419588FF81E1AE3B6A7
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

149

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

8t4d8d1hyTq7.exe

Verdict:

Malicious activity

Analysis date:

2021-04-10 04:18:01 UTC

Tags:

evasion opendir loader trojan stealer

Link:

https://app.any.run/tasks/ede6de44-d693-4aae-8848-47bd3503ccb5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/133491/

Detection(s):

Win.Malware.Fbkatz-9833093-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Connection attempt

Sending an HTTP POST request

Creating a file

Reading critical registry keys

Running batch commands

Launching a process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/672018

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123/

Threat name:

Win32.Trojan.Phonzy

Status:

Malicious

First seen:

2021-03-23 12:04:22 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

38 of 48 (79.17%)

Threat level:

5/5

Verdict:

suspicious

187e00f0ccff956d9c382ea3f888769ad5109f23a75ec51077c8b366ef45f1a9

1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55

2d80eb1f45fbbfa834211cb26597c463d3033217afa53cd9727f4030cf25e122

3419cd3aa1836577742af73aefa4d0fd5a198cbc4474af670408e6752f0dd89e

5971f27578f7a5d0f309a77148c431f78e6971cb0f1506c319432307471d3c80

b11bd18587058601cde1be46ec722f2ddc96fddd976f3a263e4d0358e8e08865

e5d7ddfeb660b0108c2cf04f5a878130afb7d5b6733f468cd62d2399b8cbd33a

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210410-m7cdl15spe/

Behaviour

Runs ping.exe

Suspicious use of WriteProcessMemory

Deletes itself

Unpacked files

SH256 hash:

b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123

MD5 hash:

b749832e5d6ebfc73a61cde48a1b890b

SHA1 hash:

a6b4fda0e4ab8137b6e8cdfea85ba66ff4b11b4b

Link:

https://www.unpac.me/results/2216e6b2-3bf1-4dfd-853d-cb962f065f86/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/b88584dde985bb05eef183a2f339bef9ebdf7adf3b7ce58a71e78e638e6a2123

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backstage_bin Create hunting rule
Author:	James_inthe_box
Description:	Backstage stealer aka Powerkatz
Reference:	b4e270dce231fd01c326f0828a3c5ad80012ebb932842aa8e420575859406fac

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/133491/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample