MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb
SHA3-384 hash: cd6b1c7ad4fd78b6c1b5be379c998300bc8595d258d8cfdb30d5378106e280227fcc28919493e3e46a237bca7dceb60f
SHA1 hash: dd15864fb5959996ff911733aec40f1ab04f05e1
MD5 hash: 4bf7c2f6ffacf3054fbb280dd5d45f36
humanhash: neptune-venus-golf-nitrogen
File name:cli.bin
Download: download sample
File size:612'864 bytes
First seen:2020-11-24 08:17:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:InfGQhHbPSbswiQXHG8330DDr1a19eqYrVdrQlchLB7qhRtruZgIsslUA/EAKZgV:IkyQOhLB7qcsb5gO
Threatray 3 similar samples on MalwareBazaar
TLSH EAD410F11A1690B2F0218D3D17D7E4F92A32AE25B5513F068CF0CDAB7DA51C97126ACE
Reporter JAMESWT_WT
Tags:gelrstyysayt.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/545782
Signature
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321986 Sample: cli.bin Startdate: 24/11/2020 Architecture: WINDOWS Score: 80 59 g.msn.com 2->59 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 .NET source code references suspicious native API functions 2->67 69 4 other signatures 2->69 8 cli.exe 1 6 2->8         started        12 vlc.exe 2 2->12         started        14 vlc.exe 3 2->14         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 8->41 dropped 43 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 8->43 dropped 45 C:\Users\user\AppData\Local\...\cli.exe.log, ASCII 8->45 dropped 71 Injects a PE file into a foreign processes 8->71 16 cli.exe 1 15 8->16         started        19 vlc.exe 12->19         started        21 vlc.exe 12->21         started        23 vlc.exe 12->23         started        25 vlc.exe 13 14->25         started        signatures6 process7 dnsIp8 49 crt.sectigo.com 91.199.212.52, 49719, 80 SECTIGOGB United Kingdom 16->49 51 iplogger.org 88.99.66.31, 443, 49717, 49718 HETZNER-ASDE Germany 16->51 53 ezstat.ru 16->53 27 WerFault.exe 23 9 16->27         started        30 conhost.exe 16->30         started        55 ezstat.ru 19->55 32 conhost.exe 19->32         started        34 WerFault.exe 19->34         started        57 ezstat.ru 25->57 36 WerFault.exe 25->36         started        39 conhost.exe 25->39         started        process9 dnsIp10 47 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 27->47 dropped 61 192.168.2.1 unknown unknown 36->61 file11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-11-23 04:55:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
4aba670fcfd1dcfd558fbd3848db4b7e36526596aa1df5ef0c39b017f954370b
6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/201124-ngvk3ecjd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies system certificate store
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
ServiceHost packer
Unpacked files
SH256 hash:
d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb
MD5 hash:
4bf7c2f6ffacf3054fbb280dd5d45f36
SHA1 hash:
dd15864fb5959996ff911733aec40f1ab04f05e1
Link:
https://www.unpac.me/results/07dc9e93-ee56-4eca-8dda-074c67bf49f9/
SH256 hash:
096ce3e49e42a748e9773d066e37a408c1de939e6d18fbcd3e138742da033d32
MD5 hash:
e0db1c402126c639801d78610027df75
SHA1 hash:
0542d669df8a42065066e86e2d77cda7dbe3925f
Link:
https://www.unpac.me/results/07dc9e93-ee56-4eca-8dda-074c67bf49f9/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/07dc9e93-ee56-4eca-8dda-074c67bf49f9/
SH256 hash:
186d1bd510b4f9f02a25df31030c744ab22d78be3ec501000135a22a2bba044b
MD5 hash:
ad4e438fa47aac7b83d9dc29a9fdc5d6
SHA1 hash:
dfb1f3a37a3edd03548fe96dd3f027c08bee8971
Link:
https://www.unpac.me/results/07dc9e93-ee56-4eca-8dda-074c67bf49f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d9d1a29e428b70152ea7e0977e3dbcea1b1f046a9f903d0df61dc65d7da6cdfb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/848903/
  
Delivery method
Distributed via web download

Comments