MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba
SHA3-384 hash: 5e84121eff116e9c526f4b12b6b97cff43ec9fe386cfc1e99ddaf5766a58d5ad3cf7bfb38f7d686198aa1e5439293e01
SHA1 hash: fc0e9918bb8f07864f57305aab03827ccdca2bf4
MD5 hash: 58696257ed6ba1e12890fe0511715384
humanhash: whiskey-potato-football-sixteen
File name:58696257ed6ba1e12890fe0511715384.exe
Download: download sample
File size:160'256 bytes
First seen:2023-11-12 13:17:57 UTC
Last seen:2023-11-12 15:26:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:w/nOJ2EyhSM3WfhopOFAxX1LFbvm87enbCbjVAJDHTneGHFzkGBm0hUg:sOPUSMoh9FAxFxT7enbCH2lYGA0
Threatray 18 similar samples on MalwareBazaar
TLSH T156F38C1292A46239F5F64EB4492CD3905733B496293EEE7CCD8C73C06E35B8696D072B
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.24765.13664.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Query of malicious DNS domain
Sending a TCP request to an infection source
Blocking the User Account Control
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6550d08c3dd412119bf8537d/reports/47912a1d-772a-4938-b0b7-87a5956bf9c5/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bf13b45b-15c6-4ff1-be5b-55534895bb65
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1341314
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates HTML files with .exe extension (expired dropper behavior)
Disables UAC (registry)
Drops script or batch files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1341314 Sample: rV87T07rIz.exe Startdate: 12/11/2023 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 8 other signatures 2->71 8 rV87T07rIz.exe 2 4 2->8         started        11 cmd.exe 2->11         started        process3 signatures4 77 Writes to foreign memory regions 8->77 79 Allocates memory in foreign processes 8->79 81 Adds a directory exclusion to Windows Defender 8->81 83 2 other signatures 8->83 13 CasPol.exe 15 182 8->13         started        18 powershell.exe 23 8->18         started        20 conhost.exe 11->20         started        process5 dnsIp6 59 193.106.175.190 IQHOSTRU Russian Federation 13->59 61 104.20.68.143 CLOUDFLARENETUS United States 13->61 63 3 other IPs or domains 13->63 51 C:\Users\...\yh41llRbEJnV6J1DQCeZdckv.exe, PE32 13->51 dropped 53 C:\Users\...\vLtZntZC6sLiRr2OEMUyKjD6.exe, PE32 13->53 dropped 55 C:\Users\...\vHVItoi0wDGVDWrqxsDqvBtf.exe, PE32 13->55 dropped 57 114 other malicious files 13->57 dropped 85 Drops script or batch files to the startup folder 13->85 87 Creates HTML files with .exe extension (expired dropper behavior) 13->87 22 XAsRt2D2IbfW91ZexWICtB9w.exe 9 13->22         started        26 gqbDJOlmyCUEpnh0dERhaowg.exe 13->26         started        28 6T8FCJAoIddYr8Iv1f85ZHbB.exe 13->28         started        32 14 other processes 13->32 30 conhost.exe 18->30         started        file7 signatures8 process9 file10 49 C:\Users\user\AppData\Local\Temp\Broom.exe, PE32 22->49 dropped 75 Multi AV Scanner detection for dropped file 22->75 34 Broom.exe 2 6 22->34         started        37 Broom.exe 26->37         started        39 Broom.exe 28->39         started        41 Broom.exe 32->41         started        43 Broom.exe 32->43         started        45 Broom.exe 32->45         started        47 11 other processes 32->47 signatures11 process12 signatures13 73 Multi AV Scanner detection for dropped file 34->73
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-11-11 20:56:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xjoc7xmynphnumg27ds7gku5afjsrawvc2jxheljmihtohn54c5a._file
Verdict:
malicious
Similar samples:
0f09f8f60741e8b3c28dc927ff1b3318d8faa623d641704b605bc38142f54f28
5c58a49c4390a1727fe88f652d72f5362b60aec3f3d53f08039a40e83a3bd0a8
79c6fb90545837f8ac314eaf24336831bf482b9dcc089d7002b990161002458a
7a32a5a6c5026b28050ee059ea20505cb3d6d214be8b24a7458141044a173b08
ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba
cc54075055057cc8c0de185f7fea71146bb0a8424d3dbd18ca1219c29ff706bd
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/231112-qjybgagg78/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Windows security modification
Downloads MZ/PE file
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba
MD5 hash:
58696257ed6ba1e12890fe0511715384
SHA1 hash:
fc0e9918bb8f07864f57305aab03827ccdca2bf4
Link:
https://www.unpac.me/results/bd8029eb-f78f-4595-9061-acb98ee0c33a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba5c2fdd986b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ba5c2fdd986bceda30daf8e5f32a9d01532882d51693739169620f371dbde0ba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2729008/
  
Delivery method
Distributed via web download

Comments