MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85
SHA3-384 hash: bdfeba1841c6893ed6f85bd60d593d285e672ce29cbceb8012ebc469023edd009726bd56fdf828ca89c66a5acd065e69
SHA1 hash: b5a347b7ffa8012695f849e5129be0f97acf3b62
MD5 hash: 949a3ef7ca414555593f0b13a9bc87cc
humanhash: blossom-summer-hawaii-sierra
File name:949a3ef7ca414555593f0b13a9bc87cc.exe
Download: download sample
File size:3'068'544 bytes
First seen:2020-12-22 12:27:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:j1tvjpkMDqw21r3TLRJ22ZTIXuyHxafEVf04MJk5Zkwg4gLEC8V6v66VxBpK34aG:j1Nl2Z
Threatray 18 similar samples on MalwareBazaar
TLSH D7E54A0249816CCBD7B2D090A34EC2D6B38795DCE7EA5FD46E20E25532CC4B7EB69D81
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
949a3ef7ca414555593f0b13a9bc87cc.exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 12:37:45 UTC
Tags:
rat backdoor dcrat trojan evasion
Link:
https://app.any.run/tasks/0db7ef7b-1692-48e5-9eca-b30bb53d80f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108851/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35806774.3589.32400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Creating a process from a recently created file
Sending an HTTP GET request
DNS request
Creating a window
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568389
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
.NET source code references suspicious native API functions
Creates multiple autostart registry keys
Drops PE files to the user root directory
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333267 Sample: 7vOBf2SPwn.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 .NET source code contains method to dynamically call methods (often used by packers) 2->77 79 9 other signatures 2->79 8 7vOBf2SPwn.exe 3 2->8         started        12 svchost.exe 2->12         started        14 7vOBf2SPwn.exe 2->14         started        16 8 other processes 2->16 process3 dnsIp4 65 C:\Users\user\AppData\...\7vOBf2SPwn.exe.log, ASCII 8->65 dropped 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->89 91 Drops PE files to the user root directory 8->91 93 Drops PE files with benign system names 8->93 19 7vOBf2SPwn.exe 3 17 8->19         started        95 Injects a PE file into a foreign processes 12->95 23 svchost.exe 12->23         started        26 7vOBf2SPwn.exe 14->26         started        28 7vOBf2SPwn.exe 14->28         started        67 192.168.2.1 unknown unknown 16->67 30 7vOBf2SPwn.exe 16->30         started        32 7vOBf2SPwn.exe 16->32         started        34 7vOBf2SPwn.exe 16->34         started        36 5 other processes 16->36 file5 signatures6 process7 dnsIp8 57 C:\Users\user\3D Objects\svchost.exe, PE32 19->57 dropped 59 C:\Users\Default\svchost.exe, PE32 19->59 dropped 61 C:\Program Files (x86)\...\svchost.exe, PE32 19->61 dropped 63 6 other malicious files 19->63 dropped 81 Creates multiple autostart registry keys 19->81 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->83 38 schtasks.exe 1 19->38         started        40 schtasks.exe 1 19->40         started        42 schtasks.exe 1 19->42         started        44 3 other processes 19->44 69 213.159.211.59, 49750, 49751, 49754 THEFIRST-ASRU Russian Federation 23->69 71 ipinfo.io 216.239.38.21, 443, 49752 GOOGLEUS United States 23->71 85 System process connects to network (likely due to code injection or exploit) 23->85 87 Tries to harvest and steal browser information (history, passwords, etc) 23->87 file9 signatures10 process11 process12 46 conhost.exe 38->46         started        49 conhost.exe 40->49         started        51 conhost.exe 42->51         started        53 conhost.exe 44->53         started        55 conhost.exe 44->55         started        signatures13 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 46->97
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-22 02:41:43 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
0ba844126112cd1af93968ecb760709771c821722774dbaf2bafe00c086a6593
2812852d9f55f586716b4358316ace833b847c4e62da54cd8d207458c8966a4f
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
5fd5abeb26cdc364310d6e88bb4326d6801eba7dfebca2601fb0ad11797acdd6
61d4ffa8f628b886b63e70a83fc7fcaf89cfe976ef1554f20d481487e5da94fe
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
dbb052cb64caf28728eecf651c6c50340d246842e875960f990ff40016da979c
e75b28e4922fc31d4bcc071f47941d45539c5459d4bf459c62da4072bd84379b
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201222-6zrzejnkcj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
3d9dd7dc1e15e840532375ea7d6a9276a09a51d09c6bdf4f9774651c86be5fa0
MD5 hash:
9b1ecaa32bad92c363ecb6344e601f3f
SHA1 hash:
023a75956e9e757a3523dfbb05a86e4ecca54068
Link:
https://www.unpac.me/results/63ca0d52-2f93-47d5-b8a0-328d7d4ca6d7/
SH256 hash:
cd21a9bee7a21b0581700d00a6b11b81cddc7f6978baaf422ae3180fb2b56772
MD5 hash:
8e0c990de4c8e2572d1712c532ae7efc
SHA1 hash:
7f391b52c6cbd4fcb36541690b6f473eaa9bcebe
Link:
https://www.unpac.me/results/63ca0d52-2f93-47d5-b8a0-328d7d4ca6d7/
SH256 hash:
cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85
MD5 hash:
949a3ef7ca414555593f0b13a9bc87cc
SHA1 hash:
b5a347b7ffa8012695f849e5129be0f97acf3b62
Link:
https://www.unpac.me/results/63ca0d52-2f93-47d5-b8a0-328d7d4ca6d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/938067/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108851/

Comments