MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1
SHA3-384 hash:	edfc1640e0985f138353e045aa2287206532669526e8a1bd7eb9ace3a32b5b3a24e3831622ad3e5ea9d20b28bb700b4c
SHA1 hash:	a66ed67beb5e4279ae406e1b2d523f53160fe8e7
MD5 hash:	7902cf3b187c86961e9b017c2171def0
humanhash:	nuts-beer-jig-texas
File name:	7902cf3b187c86961e9b017c2171def0.exe
Download:	download sample
Signature	CustomerLoader Alert Create hunting rule
File size:	13'312 bytes
First seen:	2023-07-18 13:20:06 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	192:dekG7oTmnlMRb5YWagXW9N8vyNVUi4nIx5wfQN31AqLc1Hlct+ikct+ic1n:okG7oTmlsbGWBWOpQ8fvrctmct2
Threatray	50 similar samples on MalwareBazaar
TLSH	T136521A109BE8462AD76F4776DDB30741013ADF776513EB2E79DCA109294332927523B2
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	abuse_ch
Tags:	CustomerLoader exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

261

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

7902cf3b187c86961e9b017c2171def0.exe

Verdict:

Malicious activity

Analysis date:

2023-07-18 13:24:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c26f7e76-c4b9-4944-aba1-4df68663e034

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/423613/

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file

Creating a service

Launching a service

Loading a system driver

Creating a file in the Windows subdirectories

Searching for synchronization primitives

Creating a file in the Windows directory

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Searching for the window

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun for a service

FileScan.IO Likely Malicious

Verdict:

Likely Malicious

Threat level:

  7.5/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/64b691c08ca71f19e0890f0c/reports/5c910aa2-a540-4300-80cd-33d956b02bda/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer tftp

Malware family:

tftp

Alert

Create hunting rule

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/78b3bf68-5e18-418b-b874-0cbd481fd410

Joe Sandbox Customer Loader

Result

Threat name:

Customer Loader

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1275190

Signature

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sample is not signed and drops a device driver

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Customer Loader

Yara detected UAC Bypass using CMSTP

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Generic

Threat name:

ByteCode-MSIL.Trojan.Generic

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-07-17 03:28:51 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

1

AV detection:

17 of 38 (44.74%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7qq3rgsixmmlik3ighqbuqkbtolaelfiv3n5lwwl4lbamt5bb7iq._file

Threatray malicious

Verdict:

malicious

Similar samples:

12bfbe54bef7d2002007f3d4242866dd32f90b17624e67765d902f7f01ee58a6

CustomerLoader

3956c21824bc18caca2523381ce3fa113e40d5e7f47bf2a05d65f2a1a27a3f1d

CustomerLoader

576ef869c72f3afe6f4f5101f27aeb0d479cae8e5d348eea4e43e8af8252dfd0

CustomerLoader

670bc9a86f72af2ab43a89c576a4e1874ce188b35a1f5656ea27f4b7ac3d5f09

CustomerLoader

71b83a4a645cee8038819ee490a2b6324d287d8aac405adb1b373277dc5c23ab

CustomerLoader

d73dbd022ae04284c10281b7aad42b0b80d45deec6beee79858e635a43627f65

CustomerLoader

e43e5c816ce04f8fa14c819ff2b5bfc02c03e27a4b0a6b85875ef11ea4d4489f

CustomerLoader

e9b89c91baf30931ff00e18e04d957edc7735cbc9e44eec035e8f395f6c4b6dd

CustomerLoader

f19f1debabf340338607f916a64a783e14afc6d3ee4a5ab390a00dc3f33f30d2

CustomerLoader

+ 40 additional samples on MalwareBazaar

Hatching Triage Unknown

Result

Malware family:

n/a

Score:

  3/10

Tags:

n/a

Link:

https://tria.ge/reports/230718-qlm9aaaf59/

Behaviour

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

UnpacMe

Unpacked files

SH256 hash:

fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1

MD5 hash:

7902cf3b187c86961e9b017c2171def0

SHA1 hash:

a66ed67beb5e4279ae406e1b2d523f53160fe8e7

Link:

https://www.unpac.me/results/8e379385-0b4b-45bb-baac-40a822fa6130/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CustomerLoader

exe fc21b89a48bb18b42b6831e01a41419b96022ca8aedbd5dacbe2c2064fa10fd1

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2681797/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/423613/