MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc
SHA3-384 hash:	4ab0708dea660f51dcff50a26b03b4c3714266d4bb598b3babc6d09f4fb55e725ec03b8be283fe475bdef85ad3a9ee3d
SHA1 hash:	7be806a1ef3839e2a772f2c13c8bf6f13b77eb70
MD5 hash:	251658deca6970f2412e182eca1aff5b
humanhash:	double-alpha-west-missouri
File name:	251658deca6970f2412e182eca1aff5b.bin
Download:	download sample
File size:	6'738'944 bytes
First seen:	2023-03-30 14:30:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	49152:hEwUKsFMIow42dH3zMJccuI/MEUjAkgxKoiogSogsfAC0h3Q18A3XwEdPTSqCuv0:1
Threatray	125 similar samples on MalwareBazaar
TLSH	T1FF6602F11193FDC4A72F1D4881043E40EC042A6B976C925CFDC926BB93EA558EFAD9B1
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	bin exe

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

251658deca6970f2412e182eca1aff5b.bin

Verdict:

Malicious activity

Analysis date:

2023-03-30 14:33:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9ee79093-ad18-47c7-8ba1-d05df004ac06

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/378857/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.30942.10725.5642.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Launching a process

Creating a file

Running batch commands

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

warp

Link:

https://www.filescan.io/uploads/64259d280dc8b8a71cf79163/reports/a8fce17c-77c2-41c4-b528-a457e34bca12/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc

Result

Verdict:

MALICIOUS

Malware family:

Sofacy

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/24ba7656-088a-4227-be40-8642a1bc15bb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1205253

Signature

.NET source code contains potential unpacker

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc/

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2023-03-30 14:31:10 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6lf2zwivivxep2eacnj5zzgp3p7cv3vpnvnivwxkums5bqynad6a._file

Verdict:

malicious

286a906b91ed5c46a05db9f8db2cdd1b50e6cec2a4574b1ad05768e805999764

8bc701c907ffb5ae4c5a9de7b0c1702dcfb800e757cb98cd2b4036d876adc546

9daf88d6bf23e8a364ae873b6fd8e6f51cdb8d5ee57ba502a564e71f1bc00c10

ad88cb3677f4c3954d08c5f1d6d3635d07f31c36b9c11a609993c905f7f9eb3e

d104a9413ee081463431a8f5c4493b7a13f34309a99c8fae86a593f0dfbb42ad

dfb9a75bd82bcf0d9f72647affdf954d936d629eb3be78fe4b5c9b5166ccb9d6

ea826e56d7413c64d368bd4d1ef717f85ab9bfc51f44acd118d2ef5a36f0aaac

+ 115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion

Link:

https://tria.ge/reports/230330-rvpzxaee3x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in Program Files directory

Launches sc.exe

Suspicious use of SetThreadContext

Executes dropped EXE

Drops file in Drivers directory

Stops running service(s)

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc

MD5 hash:

251658deca6970f2412e182eca1aff5b

SHA1 hash:

7be806a1ef3839e2a772f2c13c8bf6f13b77eb70

Link:

https://www.unpac.me/results/4b8a97e2-0d01-4268-859e-b15cb0d8d73b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f2cbacd915456e47e8801353dce4cfdbfe2aeeaf6d5a8adaeaa325d0c30d00fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/378857/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample