MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a
SHA3-384 hash: d33a49cb15c17f3aa4e35b0c07c83cd19b933a537e025e14c68bad9aa2d9db7d4ef7a56da7f60584bfcf24799a90ffbc
SHA1 hash: 74e657ee4d98150696dcbb9465e0a6b244ba01cd
MD5 hash: 60494980f66242d3c1b11b0477c4fa8b
humanhash: blue-winner-muppet-east
File name:60494980f66242d3c1b11b0477c4fa8b.exe
Download: download sample
File size:788'992 bytes
First seen:2023-03-12 18:52:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'458 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:+6dLYWqvv13doNRTlLJBJ0PDTikmpuO3wDWhnHOVue3S6sNOkMrCv99FVAiT:ZdW1OLBJ0PDTikcsWlHOVui9bRyXZ
Threatray 2'341 similar samples on MalwareBazaar
TLSH T142F4236D25359FFDC029C870AE9A5BC731B2F44AB8CC068DF9CF20691A46556D7EB380
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60494980f66242d3c1b11b0477c4fa8b.exe
Verdict:
Malicious activity
Analysis date:
2023-03-12 18:57:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/847f8eea-d777-4059-a6c2-ae7c1dbb3582

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373760/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.69086.23695.31806.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a service
Launching a process
Searching for the window
Searching for synchronization primitives
Creating a window
Creating a file
Changing a file
Modifying a system executable file
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/640e1f57d1a098efbc6303b4/reports/9df53c72-770d-4573-ac60-4aa28e2a1578/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3db07bef-6302-454b-8131-fa1d5e807805
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1192065
Signature
Antivirus / Scanner detection for submitted sample
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-03-12 03:45:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytf7mktr5ljyg7bpd2bsk3s6fvhfwe24cpc6f67rc3op22sl4u5a._file
Verdict:
malicious
Similar samples:
0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a
3d5194f12c6b21b79d636f65e29f308aad0bfdd1cd7e00c54cb8488b1867ff9f
5cfe7a77271ab8187988cdd1a9259c16cb636dcf6c63aceb977f62aa570ab419
600a67fd5cd4296edff5d830aa6ada02a9a7d328f74e1cdfd3c0d15642c2bc0e
841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831
9d668aa6479e36725aa0803a16cde42939599516b9d58e40fc98b2b03d2e74ea
b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
+ 2'331 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230312-xh3ccsha3w/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Adds Run key to start application
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
307132781d0a797bf59b119cb4beaf23d347258e2b51aa0f53947595bcdbecfd
MD5 hash:
93999305c9cb7df2f1ffe4c62b53367c
SHA1 hash:
f184ea09ac8684a4450feed2da6fb130baa1e678
Link:
https://www.unpac.me/results/7fd3da8b-97ca-42af-a5da-cd72dda5e521/
SH256 hash:
5b9dfb7019cbc7eca0504923c71da9145b42ec94ffc84d27a7e303e29a5387f1
MD5 hash:
41ba3ead4676b25a5e0daab4984b8ca6
SHA1 hash:
9c9ce26c83652f93b67220f8fb3dad06af965f8e
Link:
https://www.unpac.me/results/7fd3da8b-97ca-42af-a5da-cd72dda5e521/
SH256 hash:
76fbdfdab20f6692f2dedd2d6860b2e7e386f0b3aa460529d240b9dfbd1e9cab
MD5 hash:
00f9f38224be195bd73fe1f4301bce76
SHA1 hash:
33fb76cd9b031213d7d4ce8496a96722901c062a
Link:
https://www.unpac.me/results/7fd3da8b-97ca-42af-a5da-cd72dda5e521/
SH256 hash:
c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a
MD5 hash:
60494980f66242d3c1b11b0477c4fa8b
SHA1 hash:
74e657ee4d98150696dcbb9465e0a6b244ba01cd
Link:
https://www.unpac.me/results/7fd3da8b-97ca-42af-a5da-cd72dda5e521/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c4cbf62a71ead3837c2f1e83256e5e2d4e5b135c13c5e2fbf116dcfd6a4be53a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2567717/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/373760/

Comments