MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760
SHA3-384 hash:	a91d254857fefeff0efc33c9b05bcaebde2862dd7ed87b54a7a5c6ad297651a5ce06aac299dea5b83f22f730c44b46ef
SHA1 hash:	7fce6a19e42469c63cffa4c8d6fd9050fc08ae1c
MD5 hash:	75a40e4647cd013372f1d14d07bb8abb
humanhash:	neptune-sixteen-carpet-hydrogen
File name:	75a40e4647cd013372f1d14d07bb8abb.exe
Download:	download sample
File size:	1'248'768 bytes
First seen:	2022-02-03 14:46:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	30e6efa0af8616395245ec4a9b8a1088
ssdeep	12288:nroTvwPuwgCiNvTnkLYzsdns7sLW/dxc3VBy:mBs60y
Threatray	525 similar samples on MalwareBazaar
TLSH	T15F451D43D5B45010E56ED72746A6251A1BF2B0D603F3FD7A8386982A0FC1F14B6E6FE8
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

155

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/232279/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.47969504.30414.21300.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

DNS request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

fingerprint netsh.exe packed

Link:

https://www.filescan.io/uploads/61fc316718d1bfdde4ef317d/reports/76e79a29-d579-423b-a953-e9640d866a1f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/312191af-1546-49e8-9806-bf690ba5b8a0

Result

Threat name:

Unknown

Detection:

malicious

Classification:

rans.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/933455

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760/

Threat name:

Win64.PUA.GameHack

Status:

Malicious

First seen:

2021-09-25 10:42:34 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

16 of 27 (59.26%)

Threat level:

1/5

Verdict:

malicious

Label(s):

ryuk

1b402777ed9ef271c6790e8542400f38a65e8c3df224e1b80c7879e1e2c0872c

35616cb24994c8f53d586c6a5959c1011331e4c224be38bb5de08ee89378ecb8

5641e24e22ccd259f18585ed2cbbaf6be3b39a04b3c7e170063a684e21bcf078

716408476bc23c3e74a852ed6246dd60e8ed18533bedc13d4984279c97cd1a74

914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c

cdbed3a79d37d581fc5be268df61e13aaafa5c88a001f4e8b298d77c4b37ae13

d0f8a2be536ca434da7734bd318d2a88ea5005f47d518c30ff611185f42c3701

d8adcf006800aa50ce44fd520a9970d3324a53320765908b1c1caead9e07d7b1

eb6b810f2cb85c0a1a028c53e4c346b3ec7601d1853758c3b8ce56eac6f96be8

+ 515 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion persistence ransomware spyware stealer

Link:

https://tria.ge/reports/220203-r5wv7saeh3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Gathers network information

Interacts with shadow copies

Kills process with taskkill

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Modifies registry key

Modifies system certificate store

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Executes dropped EXE

Modifies Windows Firewall

Sets service image path in registry

Deletes shadow copies

Process spawned unexpected child process

Unpacked files

SH256 hash:

cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760

MD5 hash:

75a40e4647cd013372f1d14d07bb8abb

SHA1 hash:

7fce6a19e42469c63cffa4c8d6fd9050fc08ae1c

Link:

https://www.unpac.me/results/f23d1db3-8a36-4d26-9c2b-dd14b0196552/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cf5b221512a7/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing URLs to raw contents of a Github gist

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe cf5b221512a74ec01429790f7fadaefe27889258c89c4053e0d10e78b1619760

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2026357/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/232279/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample