MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

PoshC2

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a
SHA3-384 hash:	fc7155f194b369f3440a8c3319d087c749b2fb202a13a09ed3b092dd694b063fdc85d080ee83c149942e75c0c23a7e4b
SHA1 hash:	2bc22698a8b0d30cac2b48295b08a0d470079929
MD5 hash:	16268b688a3381b2ae38e6e9f2692ad5
humanhash:	lamp-alpha-princess-seven
File name:	SecuriteInfo.com.Trojan.RunPowerShellNET.8.15890.26256
Download:	download sample
Signature	PoshC2 Create hunting rule
File size:	140'288 bytes
First seen:	2023-12-04 22:30:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bb9dc484d891a7cf70c5c51b76b5d7db (7 x PoshC2)
ssdeep	3072:arKiddDSt4dtH1G2hfdE8IiSYs377PhrU:cKiddDIK7GiOTiST7jhrU
Threatray	10 similar samples on MalwareBazaar
TLSH	T1FCD3FD3E35B16807F9FD0A38F4F5BA1642003123B9E65CCE6D14AA2CD373977369A664
TrID	40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 12.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 11.0% (.EXE) Win32 Executable (generic) (4505/5/1) 5.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe poshc2

Intelligence

File Origin

# of uploads :

# of downloads :

316

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/462469/

Detection(s):

SecuriteInfo.com.Trojan.RunPowerShellNET.8.15890.26256.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug packed

Link:

https://www.filescan.io/uploads/656e535f3636548f3739c7be/reports/ca24b071-9139-403f-9f61-2faad6ce204c/overview

Verdict:

Malicious

Labled as:

DeepScan:Generic.ShellCode.RDI.Marte.4

Link:

https://www.hybrid-analysis.com/sample/f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

PoshC2

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/452bd1d3-eec5-4e73-a7d5-a12773fb08c6

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1353555

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to compare user and computer (likely to detect sandboxes)

Contains functionality to inject threads in other processes

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a/

Threat name:

Win32.Trojan.Generic

Status:

Malicious

First seen:

2023-12-04 22:31:15 UTC

File Type:

PE (Exe)

AV detection:

18 of 23 (78.26%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7dw3efgzxx2vijc5r3dxiwvzum5fedtx2hfdbcl75obyrjesgfna._file

Verdict:

malicious

PoshC2

7c3ac84e096ca5f2bbb36520dac302bfa00b6cd61598eafbffeaabea66bfa307

PoshC2

7c3f8d84b7cb379acf14a5395862b51f94936b5db1e4f34e8e3c8f39c4350192

PoshC2

a6c2b68b46b6b478ae984fd861f1681688a64c2f1f3227256e6fd436be1569e0

PoshC2

f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a

PoshC2

facb6240627523db6b3ea21e1acefdc1183ae7f4496fd333227ac764a5ab2c21

PoshC2

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231204-2fcq5sgb82/

Unpacked files

SH256 hash:

bcf8388601e298c0a07e08c3c6d081ea0a9b3f1757089c31b6de5f5f28801a72

MD5 hash:

f3d0da7b713363126db0c00bb062f0eb

SHA1 hash:

bb3bee6914d00ed1fef6c073f84af4be2ede480b

Link:

https://www.unpac.me/results/333b4134-433a-47d9-a2ee-4be26ec3962f/

SH256 hash:

070ea2f30ce3945b7c8c04a2321333ba849febf6c9e231671e6ac46b12a1f303

MD5 hash:

52c98c466a7411d9385143abcd79fea9

SHA1 hash:

0ce68bdc222435d0268e42429032309c402b4990

Detections:

Gen_Base64_EXE

Link:

https://www.unpac.me/results/333b4134-433a-47d9-a2ee-4be26ec3962f/

SH256 hash:

f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a

MD5 hash:

16268b688a3381b2ae38e6e9f2692ad5

SHA1 hash:

2bc22698a8b0d30cac2b48295b08a0d470079929

Link:

https://www.unpac.me/results/333b4134-433a-47d9-a2ee-4be26ec3962f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	Windows_Shellcode_Rdi_eee75d2c Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PoshC2

exe f8edb214d9bdf554245d8ec7745ab9a33a520e77d1ca30897feb8388a492315a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2737482/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/462469/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample