MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de0243917245895bebcaa2084a9dd923d9878b0b9e5c04373caa7c1f7c8c02ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de0243917245895bebcaa2084a9dd923d9878b0b9e5c04373caa7c1f7c8c02ba
SHA3-384 hash: f595d8eb494ebc9dc9a7e756322927a7f417cfa800e4f2c7b84394f805e0ffbf5dae36304261dd45e06e521543c093fb
SHA1 hash: f019587d6b8bb8e8834793d3b3d6a68277f258ef
MD5 hash: 6fa3b27b89661005170aafe3fda48388
humanhash: venus-oranges-dakota-rugby
File name:Client_crypt.exe
Download: download sample
File size:1'100'448 bytes
First seen:2022-12-31 18:47:21 UTC
Last seen:2022-12-31 20:28:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:yT+ua8m657w6ZBLmkitKqBCjC0PDgM5An9B:ycVV1BCjB8
TLSH T153356B1623EC8F66E1AE1735E8705A1583F2F407A27ADB8F6944D4F91D677A0CE003A7
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter atomiczsec
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
181
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Client_crypt.exe
Verdict:
Malicious activity
Analysis date:
2022-12-31 18:49:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/570d6c30-a886-4566-a60d-608b1880304f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.24181.13813.11816.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching cmd.exe command interpreter
Creating a window
Launching a process
Running batch commands
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
cmd.exe overlay packed packed
Link:
https://www.filescan.io/uploads/63b083e50e926711fd760728/reports/3c12da55-7235-462a-bc27-73b0eec3ef2d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/32d48567-499c-4b3a-9b02-18918f0a16e5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1143648
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 776378 Sample: Client_crypt.exe Startdate: 31/12/2022 Architecture: WINDOWS Score: 96 48 Antivirus detection for URL or domain 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 .NET source code contains potential unpacker 2->52 54 Machine Learning detection for sample 2->54 9 Client_crypt.exe 10 2->9         started        process3 file4 36 C:\Users\Administrator\...\Client_crypt.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\Temp\f1.xml, XML 9->38 dropped 40 C:\Users\user\...\Client_crypt.exe.log, ASCII 9->40 dropped 12 Client_crypt.exe 5 9->12         started        15 cmd.exe 1 9->15         started        process5 signatures6 56 Antivirus detection for dropped file 12->56 58 Multi AV Scanner detection for dropped file 12->58 17 cmd.exe 1 12->17         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 20 conhost.exe 15->20         started        22 schtasks.exe 1 15->22         started        24 schtasks.exe 1 15->24         started        process7 signatures8 42 Suspicious powershell command line found 17->42 44 Bypasses PowerShell execution policy 17->44 46 Adds a directory exclusion to Windows Defender 17->46 26 powershell.exe 3 17->26         started        28 powershell.exe 19 17->28         started        30 powershell.exe 21 17->30         started        32 conhost.exe 17->32         started        process9 process10 34 conhost.exe 26->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de0243917245895bebcaa2084a9dd923d9878b0b9e5c04373caa7c1f7c8c02ba/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-12-31 18:48:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ybehelsiwevx26kuieevhozepmypcyltzoainz4vj6b67emak5a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221231-xfr4lsde4z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Executes dropped EXE
Unpacked files
SH256 hash:
57ed3a8b06c3ee40450d175eae8058edd164c20e95644614cc497cefdea01a00
MD5 hash:
8a5e8bb8e0caad41d88c75223009f110
SHA1 hash:
cddad5b3b761f8a6762b9ba6e5a5526d49c91339
Link:
https://www.unpac.me/results/070bd9c6-4f0b-42cd-b4d9-e78397df350c/
SH256 hash:
a4009288982e4c30d22b544167f72db882e34f0fda7d4061b2c02c84688c0ed1
MD5 hash:
7c359500407dd393a276010ab778d5af
SHA1 hash:
4d63d669b73acaca3fc62ec263589acaaea91c0b
Link:
https://www.unpac.me/results/070bd9c6-4f0b-42cd-b4d9-e78397df350c/
SH256 hash:
de0243917245895bebcaa2084a9dd923d9878b0b9e5c04373caa7c1f7c8c02ba
MD5 hash:
6fa3b27b89661005170aafe3fda48388
SHA1 hash:
f019587d6b8bb8e8834793d3b3d6a68277f258ef
Link:
https://www.unpac.me/results/070bd9c6-4f0b-42cd-b4d9-e78397df350c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/de0243917245895bebcaa2084a9dd923d9878b0b9e5c04373caa7c1f7c8c02ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments