MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c
SHA3-384 hash: 2fd7db05097bc8ae43b3ec93cfd75d0c84e744d632f83cfe04072b3231dd114c79911237c42a7c1e68147dff08d77dcd
SHA1 hash: b983601276e8ec9898059cf1c9c4f1c13707036a
MD5 hash: fd974046fc5973ab38021ff6c5b134bf
humanhash: zulu-oklahoma-mars-bakerloo
File name:fd974046fc5973ab38021ff6c5b134bf.exe
Download: download sample
File size:2'232'320 bytes
First seen:2023-01-17 14:35:28 UTC
Last seen:2023-01-17 17:29:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:HqV0T96g2b/zDhQjJTY5s4JOmFi0gjr2:HqV0Tg7b/fhOG5K0gf
TLSH T1E1A523FC47AD4E3DC2E946B944D326AC43B8AC099B85EB8B95847EDF6D18BE17503013
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 52b0c8c88cf030e0
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
208
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fd974046fc5973ab38021ff6c5b134bf.exe
Verdict:
Malicious activity
Analysis date:
2023-01-17 14:48:04 UTC
Tags:
evasion opendir loader
Link:
https://app.any.run/tasks/f1d2da4b-3a9b-4c20-a766-b5bffb805613

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353842/
Detection(s):
SecuriteInfo.com.Variant.Lazy.233333.22417.5834.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching a process
Searching for the browser window
Searching for the window
Unauthorized injection to a recently created process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/63c6b255afdaca54d438ce23/reports/2991be32-1136-439e-ba8b-93462b656f6e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c9000a9b-4bac-44e6-af87-5b9fd6cfeb94
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1153244
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Schedule system process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 786037 Sample: Y396jKhotN.exe Startdate: 17/01/2023 Architecture: WINDOWS Score: 100 89 stub01.kozow.com 2->89 91 discord.com 2->91 93 cdn.discordapp.com 2->93 125 Antivirus / Scanner detection for submitted sample 2->125 127 Multi AV Scanner detection for submitted file 2->127 129 Sigma detected: Schedule system process 2->129 131 3 other signatures 2->131 10 Y396jKhotN.exe 16 20 2->10         started        signatures3 process4 dnsIp5 99 ipapi.co 104.26.9.44, 443, 49718 CLOUDFLARENETUS United States 10->99 101 discord.com 162.159.135.232, 443, 49719, 49731 CLOUDFLARENETUS United States 10->101 103 2 other IPs or domains 10->103 79 C:\Users\user\AppData\Local\...\shst.dat.exe, PE32 10->79 dropped 81 C:\Users\user\AppData\Local\...\aio.dat.exe, PE32+ 10->81 dropped 83 C:\Users\user\...\SiticoneDotNetRT.dll, PE32 10->83 dropped 85 C:\Users\user\AppData\...\Y396jKhotN.exe.log, ASCII 10->85 dropped 139 Tries to detect virtualization through RDTSC time measurements 10->139 15 shst.dat.exe 7 10->15         started        19 cmd.exe 10->19         started        21 cmd.exe 1 10->21         started        23 chrome.exe 14 1 10->23         started        file6 signatures7 process8 dnsIp9 87 C:\Windows\svchost.exe, PE32 15->87 dropped 115 Antivirus detection for dropped file 15->115 117 Multi AV Scanner detection for dropped file 15->117 119 Protects its processes via BreakOnTermination flag 15->119 123 2 other signatures 15->123 26 cmd.exe 15->26         started        29 cmd.exe 15->29         started        31 aio.dat.exe 19->31         started        34 conhost.exe 19->34         started        36 choice.exe 19->36         started        121 Uses schtasks.exe or at.exe to add and modify task schedules 21->121 38 conhost.exe 21->38         started        40 choice.exe 1 21->40         started        95 192.168.2.1 unknown unknown 23->95 97 239.255.255.250 unknown Reserved 23->97 42 chrome.exe 23->42         started        44 2 other processes 23->44 file10 signatures11 process12 dnsIp13 133 Drops executables to the windows directory (C:\Windows) and starts them 26->133 46 svchost.exe 26->46         started        49 conhost.exe 26->49         started        51 timeout.exe 26->51         started        53 conhost.exe 29->53         started        55 schtasks.exe 29->55         started        105 188.114.96.3, 443, 49817 CLOUDFLARENETUS European Union 31->105 107 keyauth.win 31->107 135 Antivirus detection for dropped file 31->135 137 Multi AV Scanner detection for dropped file 31->137 57 cmd.exe 31->57         started        59 cmd.exe 31->59         started        61 cmd.exe 31->61         started        63 16 other processes 31->63 109 accounts.google.com 142.250.180.173, 443, 49724, 49730 GOOGLEUS United States 42->109 111 clients.l.google.com 142.250.184.46, 443, 49723 GOOGLEUS United States 42->111 113 6 other IPs or domains 42->113 signatures14 process15 signatures16 141 Antivirus detection for dropped file 46->141 143 Multi AV Scanner detection for dropped file 46->143 145 Machine Learning detection for dropped file 46->145 65 taskkill.exe 57->65         started        67 taskkill.exe 59->67         started        69 taskkill.exe 61->69         started        71 sc.exe 63->71         started        73 taskkill.exe 63->73         started        75 certutil.exe 63->75         started        77 9 other processes 63->77 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c/
Threat name:
Win32.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-08-11 11:47:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpc7lxviaydxhc756t5bweqm3ztv5ve2yss5wsim6vawai6rk5wa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/230117-ryk55adf4v/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Kills process with taskkill
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Launches sc.exe
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Stops running service(s)
Unpacked files
SH256 hash:
8433e2370c413de81a1caf06a348e50d03c1720b55aff1e05824df5fd15ce26f
MD5 hash:
bee785e13ac15b8fd80a1ec9a61e5255
SHA1 hash:
ee257c43fb8fb8931cb0d7f540412317bb47b936
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
9fa63f758c50a9b7b406610da42e7b81593b83309a7e03a072ec918f423b4a1d
MD5 hash:
6cbe11d4d3f98950277dfe6d41087f19
SHA1 hash:
99b61b8610e3fd4fe57787cc83bbb54c7872b292
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
SH256 hash:
4885949a4c4b1837b81ed2e4040f3420381fb57865144444c58b2a57d39152db
MD5 hash:
3fba3e1f5db1e26ac862340aa2682c0b
SHA1 hash:
335fd824cba95d96f02cb5e7914e50cfabb40c55
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
SH256 hash:
48ba5773e1862747ff38ab48b92a8c564ceff14f41e667613b1203d40378be33
MD5 hash:
3d4785ef6c803fe6f726b4d7923be655
SHA1 hash:
17dad0a26229d6fcaf28271f0c923c3f3ddcc60e
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
SH256 hash:
cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c
MD5 hash:
fd974046fc5973ab38021ff6c5b134bf
SHA1 hash:
b983601276e8ec9898059cf1c9c4f1c13707036a
Link:
https://www.unpac.me/results/b70b07e2-e541-4da2-bda1-2cf6712325d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cbc5f5dea80607738bfdf4fa1b120cde675ed49ac4a5db490cf5416023d1576c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2510416/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/353842/

Comments