MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6
SHA3-384 hash: abb5f69807b58553f8ca20fd67e6182af84324ccdc0252ae3db49e3b6813fe81b61a6e108d81a55ae536feb4898d7957
SHA1 hash: 0e00e742a01d8c6878bbfbaa50d19f3d9752a662
MD5 hash: 8cdf768f8667f4d31efbcc2f1c1117a2
humanhash: king-georgia-rugby-mockingbird
File name:b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6
Download: download sample
File size:553'824 bytes
First seen:2022-05-06 08:40:25 UTC
Last seen:2022-05-06 09:38:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 12288:aGHCnaomAEg3uPdkgLhx7E6yvEHoDVbhhif0u3h:aGHCm8uPdJLhx7Ghhg93h
Threatray 1'064 similar samples on MalwareBazaar
TLSH T11CC47AC165C0942DE0A3DF71C5AC5EF29BEBF81C4AE44FCE2EC2488F952B18C9625795
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 6592a6a6a6a6c431 (1 x CoinMiner)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6
Verdict:
Malicious activity
Analysis date:
2022-05-06 09:01:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c472aab5-1687-4a65-ae20-d237fbdc1a7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269035/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILMamut.499.423.467.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Reading critical registry keys
Sending a custom TCP request
Creating a file
Unauthorized injection to a recently created process
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16517/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6274df3b36c061db6e536ce9/reports/1969e82b-f17d-4112-90ab-307e6250e1a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e059dd4-b3cf-412e-98ab-659fd68ca73d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988977
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6/
Threat name:
ByteCode-MSIL.PUA.GameHack
Create hunting rule
Status:
Malicious
First seen:
2022-04-27 06:18:00 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
26 of 42 (61.90%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
02fb1251acee80ba75a46ec46d3722dbfad5531df786601c9a46e12a24240071
1934ca02e1627b6127c65310ffe6be91e216d53bfa4b90d0fe5ec4912c17e4cd
3b4357ccbe5c7ec75510c453b4b191cf5f076babbf645938d4584ba9bc532e19
3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784
5c729dcf3f65f1a27e00e7597b5c8897d59c191dc0649718c46cc503abe88148
d7428420538d01356c483f838c10798cb05da2993e5aafb68f4748ce8dc64113
df70e51b8184f55f8c2ead6b202814b71417b0986aa71a56b5d1dd07275f084e
+ 1'054 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion spyware stealer
Link:
https://tria.ge/reports/220506-klez1shfd8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks installed software on the system
Maps connected drives based on registry
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
a319e9214fa9dce4fc93b4bb56c5499e2456a322a95c572852e649862de608b6
MD5 hash:
dabc8299bf8c534874d69aaf2f341f82
SHA1 hash:
e3366ab9e373fcaee5250f79f8e305e684837cbd
Link:
https://www.unpac.me/results/53261298-b1ed-4aff-87ae-de23a88970fc/
SH256 hash:
187d05567c738e3a112240764ba36424b387c16595ed50bb2a16b2407657f2d4
MD5 hash:
2e19972aefc6ed55d9b83b1d35db422b
SHA1 hash:
6dc01ee9d7c5f47cb834bdeaa231a218e8e95289
Link:
https://www.unpac.me/results/53261298-b1ed-4aff-87ae-de23a88970fc/
SH256 hash:
060e2f343575a15d9a038ec18564a7dc613661711f5ed57e35ce4ae199c5c2a4
MD5 hash:
66f840212281855685aec43ad0ce240b
SHA1 hash:
c89e7a7cc585bbe56be18c1021191bbb2457f2aa
Link:
https://www.unpac.me/results/53261298-b1ed-4aff-87ae-de23a88970fc/
SH256 hash:
b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6
MD5 hash:
8cdf768f8667f4d31efbcc2f1c1117a2
SHA1 hash:
0e00e742a01d8c6878bbfbaa50d19f3d9752a662
Link:
https://www.unpac.me/results/53261298-b1ed-4aff-87ae-de23a88970fc/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b9738738d885/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b9738738d885cb91e88c24692c61f6c1459992420a01bc061239d682cc7eabf6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269035/

Comments