MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9d6e83fd46ddb038a662fdd021694e743453002b367287f78da942259033fdf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9d6e83fd46ddb038a662fdd021694e743453002b367287f78da942259033fdf
SHA3-384 hash: 0e342fe089dc3ef8d0a0374cb3d34d0967fa2cc872d4db8006a235c5013f83f87f7877120b4586fb8e0cb886663420c8
SHA1 hash: c150e2a2678ede6ae0f6c0494416f222d33acde9
MD5 hash: 84c9b802cfa86c22518e3dfad7e1951f
humanhash: network-lima-quiet-pennsylvania
File name:SecuriteInfo.com.Gen.Variant.Nemesis.10034.10827.21217
Download: download sample
File size:314'640 bytes
First seen:2022-08-18 17:36:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ea4df5d94204fc550be1874e1b77ea7 (241 x GuLoader, 29 x RemcosRAT, 17 x VIPKeylogger)
ssdeep 3072:JAe+3aJpgWXTBumxLKNrFUrb+CaV3krZFb0FkByMWveKT4kduHnU+4bltu+uDItv:+B+pgULLC8IU7jByMWvt47HV45bSMt
Threatray 4'481 similar samples on MalwareBazaar
TLSH T11A64F1163782C95BD78057708499F73E8E74FE443E35CA2337A4EF8E7A247229919392
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe signed

Code Signing Certificate

Organisation:Grundskuddets Bosthoon
Issuer:Grundskuddets Bosthoon
Algorithm:sha256WithRSAEncryption
Valid from:2021-12-18T12:34:12Z
Valid to:2024-12-17T12:34:12Z
Serial number: 747068be96618b9c
Thumbprint Algorithm:SHA256
Thumbprint: e6b104e035658ac7fc418abb836b31d6b0ce26492065d3ca77761f91ea4e725b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
302
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Gen.Variant.Nemesis.10034.10827.21217
Verdict:
Malicious activity
Analysis date:
2022-08-18 17:37:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7f2b4cc6-0c89-4180-9086-e5cc18cf64d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299631/
Detection(s):
SecuriteInfo.com.Gen.Variant.Nemesis.10034.10827.21217.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29425/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/62fe78c5a6276e777d2b2511/reports/1a521da0-e1b0-4c87-a164-efe0d5d966ce/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/904b8c94-9f8b-48d8-b118-8971bcba988c
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
28 / 100
Link:
https://www.joesandbox.com/analysis/1053937
Signature
Mass process execution to delay analysis
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 686454 Sample: SecuriteInfo.com.Gen.Varian... Startdate: 18/08/2022 Architecture: WINDOWS Score: 28 6 SecuriteInfo.com.Gen.Variant.Nemesis.10034.10827.exe 3 86 2->6         started        file3 32 C:\Users\user\...\ArmouryCrate.DenoiseAI.exe, PE32+ 6->32 dropped 34 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 6->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 6->36 dropped 38 Mass process execution to delay analysis 6->38 10 powershell.exe 6->10         started        12 powershell.exe 6->12         started        14 powershell.exe 6->14         started        16 51 other processes 6->16 signatures4 process5 process6 18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 48 other processes 16->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9d6e83fd46ddb038a662fdd021694e743453002b367287f78da942259033fdf/
Threat name:
Win32.Trojan.Nemesis
Create hunting rule
Status:
Malicious
First seen:
2022-08-18 17:37:07 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
9 of 38 (23.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hloqp6unxnqhctgf7oqefuu45bukmacwntsq73y3kkcewidh7pq._file
Verdict:
unknown
Similar samples:
56af437f8b3b60b32b7cba77fa159138a777a48e98ce0215e8ec6f97ef12b223
595f2ae803f01eba157b6deff4687380346e15609e43cc05b541b527bb7292eb
659d6a4757ecc8ee426b62660c1379645873a6b3df3efcddd3dec68a1b35cb60
867728410f8a0158bf19ee07f1001905aa803295cb9995a3a813fba7ef46770c
8db79a723be588747af0a68c7e6ec677f0d27a476f0795a06da5a2595ea8799b
aba19cc38e4985676b27e5a87d4e11c8bdbb8ee25f27b0482512153bb8483f0c
b60f2abca2515ab7c447ab5b237a50c634357f7d4c9591b76c0b44829ad30460
c2c6dbfb6b0c03a22473c7f2f6cbfe0bbf500c795b920ddeb37c27af7de76d93
d28cdd34432fb25eb479fc1faa90d0f1fa37bd4b9edb9e1febaa512f8e1ea79e
+ 4'471 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220818-v65fhscfa7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/4ebd4b39-67e2-4847-963a-5429c093b8ed/
SH256 hash:
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
MD5 hash:
0d45588070cf728359055f776af16ec4
SHA1 hash:
c4375ceb2883dee74632e81addbfa4e8b0c6d84a
Link:
https://www.unpac.me/results/4ebd4b39-67e2-4847-963a-5429c093b8ed/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/4ebd4b39-67e2-4847-963a-5429c093b8ed/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/4ebd4b39-67e2-4847-963a-5429c093b8ed/
SH256 hash:
f9d6e83fd46ddb038a662fdd021694e743453002b367287f78da942259033fdf
MD5 hash:
84c9b802cfa86c22518e3dfad7e1951f
SHA1 hash:
c150e2a2678ede6ae0f6c0494416f222d33acde9
Link:
https://www.unpac.me/results/4ebd4b39-67e2-4847-963a-5429c093b8ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/f9d6e83fd46ddb038a662fdd021694e743453002b367287f78da942259033fdf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/299631/

Comments