MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d
SHA3-384 hash: 986730ac7786acfe944d0dff4f364f267729ab288a9f0436bcbba5d02874c828c905fd9401865c3f25ffe06b00709079
SHA1 hash: 330b2f3b32dc6a2a105bf8c0c9e31803134cccc5
MD5 hash: f2a43f22fc71e9e9b347061668407fe3
humanhash: four-three-missouri-uncle
File name:f2a43f22fc71e9e9b347061668407fe3.exe
Download: download sample
File size:1'915'904 bytes
First seen:2022-09-18 05:34:20 UTC
Last seen:2022-09-18 07:17:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 33d4914e8b30389a8f0d6bfbd1eb92d1 (4 x RedLineStealer)
ssdeep 24576:aIRon5+8a81VOsHYfzlInon5+qa81VOsHwPFi6IRon5+7a81VOsHGLy6g+qJ5dge:5arXRruS/4okgU
TLSH T1F9959BBC6DA18C1E9257026318DC8175D0B0EE7E8784FB672BB9E57F0A2646F3F54908
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
386
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f2a43f22fc71e9e9b347061668407fe3.exe
Verdict:
Malicious activity
Analysis date:
2022-09-18 05:37:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4787cf40-e937-48f9-8733-f58dfb1fd55f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311026/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62130728.4668.12991.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a file in the Windows subdirectories
Running batch commands
Creating a file
Creating a process from a recently created file
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6326ae0e668068d3ba37bfe4/reports/293546b7-ccc3-437f-af52-b8852d979950/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/54c3f175-9c4e-4bf8-af92-825ae3187781
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1072394
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 704936 Sample: 9lfSQF3fEJ.exe Startdate: 18/09/2022 Architecture: WINDOWS Score: 68 50 Multi AV Scanner detection for submitted file 2->50 52 .NET source code contains method to dynamically call methods (often used by packers) 2->52 54 Machine Learning detection for sample 2->54 9 9lfSQF3fEJ.exe 1 2->9         started        12 Clipper.exe 1 2->12         started        14 Clipper.exe 1 2->14         started        process3 signatures4 56 Injects a PE file into a foreign processes 9->56 16 9lfSQF3fEJ.exe 15 5 9->16         started        20 WerFault.exe 23 9 9->20         started        22 conhost.exe 9->22         started        58 Multi AV Scanner detection for dropped file 12->58 24 conhost.exe 12->24         started        26 conhost.exe 14->26         started        process5 dnsIp6 46 cdn.discordapp.com 162.159.130.233, 443, 49709 CLOUDFLARENETUS United States 16->46 38 C:\Users\user\AppData\...\9lfSQF3fEJ.exe.log, ASCII 16->38 dropped 40 C:\Windows\Temp\xsv.exe, PE32+ 16->40 dropped 28 cmd.exe 1 16->28         started        48 192.168.2.1 unknown unknown 20->48 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped file7 process8 process9 30 xsv.exe 1 7 28->30         started        34 conhost.exe 28->34         started        file10 44 C:\Users\user\AppData\Roaming\...\Clipper.exe, PE32+ 30->44 dropped 60 Multi AV Scanner detection for dropped file 30->60 36 conhost.exe 30->36         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2022-09-17 14:26:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xuboqxe3dpirmskot3fscyxshqhyefz2tcnnx57y56ydc7efs4oq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220918-f915yaegaq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/46c4e3ed-9b09-45ad-b8f6-eb6aa875a4e5
Unpacked files
SH256 hash:
576b1d2fbba62763b98edbe8bf8b64366b2bc7445e907dee0e55bf6999c07cf4
MD5 hash:
75afae5b368435089953fa47f772c2b4
SHA1 hash:
d472f3127565b2801fd0a000fb2e9d6f84d0510c
Link:
https://www.unpac.me/results/8998e871-7f21-40ef-a065-86b9c78fd25a/
SH256 hash:
bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d
MD5 hash:
f2a43f22fc71e9e9b347061668407fe3
SHA1 hash:
330b2f3b32dc6a2a105bf8c0c9e31803134cccc5
Link:
https://www.unpac.me/results/8998e871-7f21-40ef-a065-86b9c78fd25a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bd02e85c9b1bd116494e9ecb2162f23c0f82173a989adbf7f8efb0317c85971d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/311026/
  
URLhaus
https://urlhaus.abuse.ch/url/2305717/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2301799/

Comments