MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc
SHA3-384 hash: 4f566b411ea6b6d835b24a4ef3fef3d4a23b927cae2bdd84ba9e043cee882eb383fc1a50952e20fd803685f7a73d8d93
SHA1 hash: dd0fc31fc6bf8281ea3d827c62daf977f9f35bda
MD5 hash: c5acdcc6c5665ed828560b950694a875
humanhash: twelve-dakota-fix-nuts
File name:c5acdcc6c5665ed828560b950694a875.exe
Download: download sample
File size:189'952 bytes
First seen:2021-11-21 15:54:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:6hzT9hbRPACm9yeiGKg4zzUG8V8qhIVm:6P9hbVACm9yeiGKg4sG8V8xVm
Threatray 11 similar samples on MalwareBazaar
TLSH T15604410213D1E7BBFCD269BF5F23C207169F2B85A7B46DA61D00564EBA12D1360E790E
File icon (PE):PE icon
dhash icon 71f4808888c2c461 (1 x AsyncRAT)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5acdcc6c5665ed828560b950694a875.exe
Verdict:
No threats detected
Analysis date:
2021-11-21 15:58:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/968b3e1e-b467-4f5d-a0e8-08e2791ad365

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/619a6bdd94a88037d2fca602/reports/f37c0bc1-741c-4963-9c93-eb632290bcdb/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6983e985-2be1-4472-9071-6144d76844ac
Result
Threat name:
IPack Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/893319
Signature
Creates an undocumented autostart registry key
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Uses ping.exe to check the status of other devices and networks
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
Yara detected IPack Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 525792 Sample: dpzamp5dX9.exe Startdate: 21/11/2021 Architecture: WINDOWS Score: 100 48 youtube.com 2->48 56 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 Yara detected IPack Miner 2->60 62 5 other signatures 2->62 9 dpzamp5dX9.exe 17 10 2->9         started        signatures3 process4 dnsIp5 54 streetstar.site 81.177.165.51, 443, 49746 RTCOMM-ASRU Russian Federation 9->54 40 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32+ 9->40 dropped 42 C:\Users\user\AppData\...\dpzamp5dX9.exe, PE32+ 9->42 dropped 44 C:\Users\user\...\Chrome.exe:Zone.Identifier, ASCII 9->44 dropped 46 3 other malicious files 9->46 dropped 64 Creates an undocumented autostart registry key 9->64 66 Writes to foreign memory regions 9->66 68 Modifies the context of a thread in another process (thread injection) 9->68 70 Injects a PE file into a foreign processes 9->70 14 dpzamp5dX9.exe 9->14         started        17 cmd.exe 1 9->17         started        19 wscript.exe 1 9->19         started        21 5 other processes 9->21 file6 signatures7 process8 signatures9 72 Machine Learning detection for dropped file 14->72 74 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->76 78 Uses ping.exe to check the status of other devices and networks 17->78 23 PING.EXE 1 17->23         started        26 conhost.exe 17->26         started        80 Wscript starts Powershell (via cmd or directly) 19->80 28 powershell.exe 24 19->28         started        30 PING.EXE 1 21->30         started        32 PING.EXE 1 21->32         started        34 PING.EXE 1 21->34         started        36 7 other processes 21->36 process10 dnsIp11 50 youtube.com 172.217.168.46 GOOGLEUS United States 23->50 38 conhost.exe 28->38         started        52 facebook.com 157.240.17.35 FACEBOOKUS United States 32->52 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-11-21 10:27:58 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
19833e0887e0a19bb45a6acc390322e9aa09b9783620bcf479cda77a3b8c2533
22377e133f9eeb822f92390f2c5abf0a7f9eb856e7f66e435041b171dcf3d987
2d8c517e8ada7ab3c73c6bd6b67b2a8528d83e31eb1b4e9ddd2ec27c2b308c94
35235fda554c446f3081ddbbaf1f18be2300a3830c1943cb93e53becb83d84e9
39e191e72e7e30193ef6d907de2084ea55048d92650af1d89917c30f664938bd
457366af26a4da0fb951fda087c68b15cc63f0034a588803b4ec6458edb601bf
57de84ac2faa2a05fc3e52fb79ae165e2825308fec4d86e30cc2c0c9984b089a
b06b803c1a654849e7b0310b0b590ca574568ab9eba41858e8caaff5dbbeacba
b6f65e1b91543c0dcaf6d8afddf8649704052b0fc2463d3c2329aa8af08455b7
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/211121-tcsn7ahad7/
Behaviour
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc
MD5 hash:
c5acdcc6c5665ed828560b950694a875
SHA1 hash:
dd0fc31fc6bf8281ea3d827c62daf977f9f35bda
Link:
https://www.unpac.me/results/4e2ec860-874d-4ab7-a39e-aec4a7472e50/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207904/

Comments