MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
SHA3-384 hash: 6a3adc35f0d44468e3a14bc9e9686cea55b87f8862d2e709082cb1667c51f95024f1c6aceb95a4505d5905f5d30a84bb
SHA1 hash: 650c0550f12c65d9841d10ab589ff39261018957
MD5 hash: 1b1e4286625bb189a526e910f2031c7b
humanhash: single-sweet-oklahoma-michigan
File name:1b1e4286625bb189a526e910f2031c7b
Download: download sample
File size:54'272 bytes
First seen:2022-01-15 00:08:25 UTC
Last seen:2022-01-15 01:33:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 192:s7yxMfjf6NrLqKZ6mXS9LzL1pvULIRPqY2F3991ZuBhyY8PGCz9QwAOSZCGQyBbf:KyufjSLq86mXS9LzLdqY2LHZ4cZA
Threatray 262 similar samples on MalwareBazaar
TLSH T1313366F08FF5B9A5E0192073B864B13C37D79D0EDC655836E69BF54A34628C220E6E1B
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b1e4286625bb189a526e910f2031c7b
Verdict:
Malicious activity
Analysis date:
2022-01-15 00:17:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/420ee5e8-c7f6-42d5-8d3b-6050f8548364

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219425/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.EC.genEldorado.15450.29196.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/61e210a0f2e8ec86feff25e3/reports/a01a5b03-5813-4ec2-8bfc-6e6c924ecb66/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13dfaa79-319f-4c81-b7ef-4a2abc73b565
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/921013
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2022-01-15 00:09:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0245c82558329cfd8ef5ef901e4929075d4d873ba20d9704731758580caed7be
05bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
4c0f83c722bdcb38b3d53a1cebc80b777ee6e02742e27a384ac39d7e51f4e7dd
6b10f57d5211fa504775f4db4021b74bfee20d6fc6f908fb062044db926c0656
8592d578f269100d67bf1faa464e23de7bf0c1266bad19d2bf6bcce0501158a3
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
e53815bde4306397c668c921b03877403c5faae724ec66e1a62f3cc506fdb2ea
+ 252 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220115-afgljsbgfm/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
MD5 hash:
1b1e4286625bb189a526e910f2031c7b
SHA1 hash:
650c0550f12c65d9841d10ab589ff39261018957
Link:
https://www.unpac.me/results/c2093dc7-af5c-4417-8390-52ea8c7a9f89/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.44
Link:
https://yomi.yoroi.company/submissions/c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1977641/
Cape
Cape
https://www.capesandbox.com/analysis/219425/

Comments


Avatar
zbet commented on 2022-01-15 00:08:28 UTC

url : hxxp://74.201.28.62/book/KB5009812.exe