MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
SHA3-384 hash: fe27df29250e4e449038ec51e201bd28a48739f607214d80f0193247ed8022e37bb05b97ad59aa953a2b2d5f2adafd81
SHA1 hash: 44d44ad94ede70ae8bdf75ea18660911f5a22915
MD5 hash: 1fa21564b4463aa7a564a20fa00dafba
humanhash: violet-ack-white-carpet
File name:1fa21564b4463aa7a564a20fa00dafba
Download: download sample
File size:14'546'944 bytes
First seen:2023-03-19 15:35:27 UTC
Last seen:2023-03-19 18:31:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 57c9b357ae0cb2f414b0a5873e2f216d
ssdeep 98304:Z8orC0paqIwP+g/pkrubbwibwHyEe/4/I3eFTF:CExaqvP+0pkruwKw/P/I
Threatray 148 similar samples on MalwareBazaar
TLSH T1F2E65B07F89191E5C4EDD170CA269262BA303C495F3067D73B20F6B92F36BE46A7A354
gimphash 95421d92207a4d400e1e7c285ea7044551c01c8b87ceb23045e77c84d7106902
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
https://download2289.mediafire.com/8qqs6oo1rujgnygOXJhbwy64oswURabE2x1av_x8wbxCKNoVMnXD6WiSXch-UuV7QZsplxCm1Blj8PQDFBwo1J9UjPRmqg/bjekqvmcikvdtef/WareHacks.rar
Verdict:
Malicious activity
Analysis date:
2023-03-17 20:29:41 UTC
Tags:
raccoon recordbreaker trojan loader stealer
Link:
https://app.any.run/tasks/d495552d-9a4c-4e26-8579-3761de8bc587

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.65992803.17957.9235.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Reading critical registry keys
Running batch commands
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware virus
Link:
https://www.filescan.io/uploads/64172be5e6d26a096f571e11/reports/65b8e691-cf06-4caf-b672-7b43bb217206/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a681c562-f98f-4bff-b857-b5397ffb484f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1197142
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830041 Sample: NOaTVcmwcY.exe Startdate: 19/03/2023 Architecture: WINDOWS Score: 60 16 Antivirus / Scanner detection for submitted sample 2->16 18 Multi AV Scanner detection for submitted file 2->18 7 NOaTVcmwcY.exe 2->7         started        process3 signatures4 20 Tries to harvest and steal browser information (history, passwords, etc) 7->20 10 cmd.exe 1 7->10         started        process5 process6 12 conhost.exe 10->12         started        14 choice.exe 1 10->14         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9/
Threat name:
Win64.Trojan.Vigorf
Create hunting rule
Status:
Malicious
First seen:
2023-03-16 15:01:26 UTC
File Type:
PE+ (Exe)
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hbbkmugriwnhs7kuixzfqrxznz374t5op6es4lnqhej53nxfpuq._file
Verdict:
unknown
Similar samples:
39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
3ef830b80dfde2495d9c111cee4c9b6be29c1801ea55cd15b2235ef0a9c359fd
67dd0268cb9b122574629662f97f6d56ffca8e7d478f38be141ac02131708730
6888c253f7fe673389ea592d69e1844c81eb01f313514df88f9dbdebad514aa8
a9ee6721f8d23338032cdce673ff1784a6c207d5c7aa6857fbd5c0c5f2d81208
adcf0ee814651b8a561d827d7ecc7a9aee660a950511c1ffae7d16f426f8de14
b9736626a522b3d6301ede70895f1ffbb592d88b2f9e7a9908797e0a0249b00c
c9716a41f6865025271a42553f3240810b678f89bffaa2a5c69a0576757947ab
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b
e487cc9c5d05a910d82c833029b1dc9ac00e5729ad05d1dcfafaa4fc64496b6d
+ 138 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230319-s1w6vaha22/
Behaviour
Suspicious use of WriteProcessMemory
Deletes itself
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
MD5 hash:
1fa21564b4463aa7a564a20fa00dafba
SHA1 hash:
44d44ad94ede70ae8bdf75ea18660911f5a22915
Link:
https://www.unpac.me/results/0ec66359-8381-4677-acbe-9a876d1ff571/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2577442/

Comments


Avatar
zbet commented on 2023-03-19 15:35:35 UTC

url : hxxp://185.106.92.140:8080/Slava.exe