MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207
SHA3-384 hash: 90c2247392cbb1ff87df41d67d2d0ef4a42f08cea65bb286cc41f593d28774ef55c83c401bad9868440fa65d5f69717a
SHA1 hash: b695e29ac63fd6cc3f21c99f0475934abc6c26c8
MD5 hash: 7e9556a873f120b93aced165179f98a7
humanhash: music-yellow-johnny-wolfram
File name:Soft.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:994'304 bytes
First seen:2022-03-06 12:23:23 UTC
Last seen:2022-03-06 13:41:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:MuX6uHAW92zt/sWu2BSMCqDOLzLzY7z7hbTbTbTDz7z7SbuGLVVT2zjX:M0LH+tkWJ0bLzLzY7z7hbTbTbTDz7z7X
Threatray 259 similar samples on MalwareBazaar
TLSH T16B258C8D63743E32E52D65F6F10B524D484DBA58C6070E82BE840DEF3BD9174928BAF6
File icon (PE):PE icon
dhash icon e0c8cec6c6c6c0e0 (3 x BlackGuard, 3 x Formbook, 2 x MassLogger)
Reporter 3xp0rtblog
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
483
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247664/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.4694.15713.27860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a file in the system32 subdirectories
Creating a file in the %temp% directory
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a window
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa29ed20-5f8c-4b5c-9eee-9e09a4f97866
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/951406
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 12:24:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
27b55c8a94eb835f7ef194183f088415ac4e75348609465a1393043ab6161631
BlackGuard
417d90bf7d85a12dd9b199f97a0f7315532a71e0c09c124d50258dda532e0b20
BlackGuard
4f4d29507bafc223646d98f5fed78d52dd96caeee2072ff17b15718b45a1811f
BlackGuard
52fae1ba28593ce0478042ee499f02333c1b671971c619bf7528a50ac051625a
BlackGuard
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
BlackGuard
63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7
BlackGuard
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
BlackGuard
877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9
BlackGuard
989f403c14fe2ab86cb51cb4232ed7a3fc8f623ad8025e674acfa3bf45a0d917
BlackGuard
ba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6
BlackGuard
+ 249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220306-pk2vlscbhr/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
dc7044f20233374d4f8af07c48bb4ffbf1356f3fc58de048e8fdd138cd7cf135
MD5 hash:
fc4945d531b0d7983603b9302d259ed1
SHA1 hash:
32ff1a0714cbea34cd1e89e71bdb55febb72c632
Link:
https://www.unpac.me/results/9803d37d-d22d-448c-91cd-549afc133c21/
SH256 hash:
bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207
MD5 hash:
7e9556a873f120b93aced165179f98a7
SHA1 hash:
b695e29ac63fd6cc3f21c99f0475934abc6c26c8
Link:
https://www.unpac.me/results/9803d37d-d22d-448c-91cd-549afc133c21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1500119223812730884
Cape
Cape
https://www.capesandbox.com/analysis/247664/

Comments