MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Zegost

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a
SHA3-384 hash:	be29beb177c005d85d7d49c2ff3ec988bf5e66e0b147bf7017ff1982de464e1027d6fbb4ae217c2bb49a05b761847207
SHA1 hash:	ab2dabb1c1f19967a2d2b614f0d8e0e98cd15092
MD5 hash:	67ea33dfa57e1db564d6fbfeb5bd2321
humanhash:	mars-hydrogen-oranges-white
File name:	6c98aa42bb499c16cbbda734f771b127
Download:	download sample
Signature	Zegost Create hunting rule
File size:	1'115'412 bytes
First seen:	2020-11-17 11:29:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3c70563a70046227330c392e62c4bf2e (1 x Zegost)
ssdeep	12288:jt0VPFfsKAkrbPlWhHANUTNqjHANUTNtJ:SFksb8AtJ
Threatray	5 similar samples on MalwareBazaar
TLSH	8A352502927F071594DA32149F70496ACDFCAED690E2FC28EFA06D8EC63DB91558C736
Reporter	seifreed
Tags:	Zegost

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upolyx-12

Win.Trojan.Farfli-6781337-0

Win.Trojan.Farfli-6781338-0

Win.Trojan.Farfli-6784100-0

Win.Trojan.Zegost-6787441-0

Win.Trojan.Zegost-6787446-0

Win.Trojan.Zegost-6787447-0

Win.Trojan.Zegost-6787448-0

Win.Trojan.Zegost-6787449-0

Win.Trojan.Zegost-6787450-0

Win.Trojan.Zegost-6887782-0

Win.Trojan.Farfli-6894543-0

Win.Trojan.Farfli-6796190-0

Win.Trojan.Zegost-7493503-0

SecuriteInfo.com.BackDoor.Agent.ANNR.1414.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Modifying an executable file

Creating a file in the Windows directory

DNS request

Connection attempt

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a/

Threat name:

Win32.Backdoor.Farfli

Status:

Malicious

First seen:

2020-11-17 11:30:24 UTC

AV detection:

39 of 48 (81.25%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=x2tho6h2tj4ixajx7nrd2bc5foiach4anxodqijnt5gyo6vy2sna._file

Verdict:

suspicious

Zegost

82c8c241387c128a1d00eb9a96ec415ccad32461600441cb9a6c9176cfebd617

Zegost

851f2df17ce8673bc0747d4ec64b2904b3749a5e9028acbc65db70613b3e5ad5

Zegost

a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6

Zegost

c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e

Zegost

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence upx

Link:

https://tria.ge/reports/201117-hrb3r7bt86/

Behaviour

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Adds Run key to start application

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

bea67778fa9a788b8137fb623d045d2b90011f806ddc38212d9f4d877ab8d49a

MD5 hash:

67ea33dfa57e1db564d6fbfeb5bd2321

SHA1 hash:

ab2dabb1c1f19967a2d2b614f0d8e0e98cd15092

Link:

https://www.unpac.me/results/0ca8d7de-4a39-4566-84db-ae0048d4bb05/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample