MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f32b9eeea4a0879f8ffdd7075367279b1d5fb1b8b2edc9951fc3156eb6868f32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Renamer

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	f32b9eeea4a0879f8ffdd7075367279b1d5fb1b8b2edc9951fc3156eb6868f32
SHA3-384 hash:	e90549bcc9dbe557bb5af3c360d68c55d53d859e855847af87f543c8d8b69ff017cc404885c170be8fafaccf3f32a981
SHA1 hash:	4ad4a78d133877493ae87643c93e7041f7a9db84
MD5 hash:	dcb5ce3e8a3eac1e093cfcd46cedce92
humanhash:	purple-colorado-fix-colorado
File name:	triage_dropped_file
Download:	download sample
Signature	Renamer Create hunting rule
File size:	773'615 bytes
First seen:	2022-05-25 13:49:58 UTC
Last seen:	2022-05-25 14:49:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	55f3dfd13c0557d3e32bcbc604441dd3 (124 x Formbook, 18 x Loki, 13 x AgentTesla)
ssdeep	12288:lYB43GmfxjSGb7mjXq/9ll8wKA37stONlTyYV5jshQXeqnOH3o8ViTNlNw5Eo0Bh:lV2m5jSG2D6ll79LSm5whQuhkBlOEoBS
Threatray	2'148 similar samples on MalwareBazaar
TLSH	T19FF42349D5CDA8FFE9EA51F04E936A73E7369C840493F3037E0A8FE99038E555523682
TrID	92.9% (.EXE) NSIS - Nullsoft Scriptable Install System (846567/2/133) 3.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 0.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 0.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter	malwarelabnet
Tags:	exe Renamer

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

triage_dropped_file

Verdict:

Malicious activity

Analysis date:

2022-05-25 16:40:56 UTC

Tags:

installer

Link:

https://app.any.run/tasks/94e9020d-28d3-41ea-a32f-753a1aa70b7e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Renamer

Link:

https://www.capesandbox.com/analysis/274519/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a process from a recently created file

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control.exe overlay packed shell32.dll

Link:

https://www.filescan.io/uploads/628e3420efe9af159cbc79e6/reports/e0178ee9-f993-42c0-b3d3-f9c037c63e64/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Gorgon Group

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bffcfe3e-d42b-445e-845e-13b31edc1415

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1001593

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f32b9eeea4a0879f8ffdd7075367279b1d5fb1b8b2edc9951fc3156eb6868f32/

Threat name:

Win32.Trojan.Nsisx

Status:

Malicious

First seen:

2022-05-25 13:50:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

12 of 41 (29.27%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6mvz53veucdz7d7524dvgzzhtmov7mnywlw4tfi7ymkw5nugr4za._file

Verdict:

malicious

Renamer

48556d0392a4d83d45fb033f8deab48ebc85ebfef95616191b43512d6250cc01

Renamer

7230d625e58f4378e6bbd34d4ed2d55a79f3ad941d21efd18ba16e5afc7b00e4

Renamer

7f9ead41557a685c5f7cd82c6607d7bbe98397bf87cf04be8e7e7e13bea41938

Renamer

a36ca6406a273cb0d73b0c76e66c559cd140c1941024b37f6e89a10ba4a0e3d8

Renamer

c6cbc998b74e0bbf41c6c9c56dc44e767be5b94e6459eb572c23a595ce652d43

Renamer

d362049f6460d4d16dcd2214df873549a80f455ac80352aec3f653365c621a3b

Renamer

e0047eef676c9123a68230bf0c600b067aa0783a934205d26c63d997c4fae82b

Renamer

+ 2'138 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/220525-q489gaefgm/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Drops file in Windows directory

Drops autorun.inf file

Suspicious use of SetThreadContext

Drops startup file

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

3c3eaf3d0e25b95ecbc723e40a5473a0b9fe5d48a393228214b7f69137d401c8

MD5 hash:

f3b2e0c527a821d49da2bdbd30ebc9a3

SHA1 hash:

615b2e2c97f3834c8083f214c6935f5beb917926

Link:

https://www.unpac.me/results/2503ccbd-9088-40c2-a15c-73198f3c6a7c/

SH256 hash:

f32b9eeea4a0879f8ffdd7075367279b1d5fb1b8b2edc9951fc3156eb6868f32

MD5 hash:

dcb5ce3e8a3eac1e093cfcd46cedce92

SHA1 hash:

4ad4a78d133877493ae87643c93e7041f7a9db84

Link:

https://www.unpac.me/results/2503ccbd-9088-40c2-a15c-73198f3c6a7c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f32b9eeea4a0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f32b9eeea4a0879f8ffdd7075367279b1d5fb1b8b2edc9951fc3156eb6868f32

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.