MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sliver


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d
SHA3-384 hash: fd80d402fcf1cac3f1a28d544b8d7b6ef06b39f71b7e4443bde8982d2f0a3f8673c8af36d83b3cb94ce55ef839a06c6e
SHA1 hash: e3d5f4892f18e97e4be26c7e0e92d2d8411f2fe0
MD5 hash: 205eba033c31a42d83971958eee8d0eb
humanhash: butter-twenty-paris-happy
File name:file
Download: download sample
Signature Sliver
Create hunting rule
File size:8'632'320 bytes
First seen:2024-09-30 18:13:44 UTC
Last seen:2024-12-09 18:01:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (230 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 196608:n6DCGvmFBgqmQ5ku1eYtdCKYluttk08TaSOSff3D:n6Z0rmQ5kNY3C/uttkFTaSZX
TLSH T1F09633BA894B3923821AD23EA395884271F4A9101FDC46265F0F47A6C3FBBC3D6D5D53
TrID 63.5% (.EXE) UPX compressed Win64 Executable (70117/5/12)
24.5% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.ICL) Windows Icons Library (generic) (2059/9)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:exe sliver


Avatar
Bitsight
url: http://147.45.44.104/malesa/66fad551bd8fd_edgeupdater.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
404
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-09-30 18:14:53 UTC
Tags:
upx crypto-regex
Link:
https://app.any.run/tasks/fdd21d60-436d-43b7-91d5-b0fcb60e3e34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Agent.xbsxbe.29045.18306.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66faeb651fc3f42f04e86b35
Tags:
Powershell Exploit Sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
monero packed packed packed python rat sliver upx
Link:
https://www.filescan.io/uploads/66faea6b47c03599af5425a6/reports/82fd91d4-95be-41bb-b091-ab99b09dcb9e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1f01c415-081d-4c2e-974f-601732332a8a
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1522913
Signature
AI detected suspicious sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522913 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 24 29 serversrvhaotete3avuar6t.com 2->29 31 AI detected suspicious sample 2->31 8 file.exe 1 2 2->8         started        11 file.exe 2->11         started        13 file.exe 2->13         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\...\file.exe, PE32+ 8->27 dropped 15 tasklist.exe 1 8->15         started        17 tasklist.exe 1 11->17         started        19 tasklist.exe 1 13->19         started        process6 process7 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-09-30 18:14:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 23 (52.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=76n4ht7mimrprpnwzi6idkpa2ybojjtavhmfvj3mo2yygmcrlvgq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence upx
Link:
https://tria.ge/reports/240930-wvbjqsyenr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
UPX packed file
Adds Run key to start application
Verdict:
Malicious
Tags:
trojan
YARA:
SUSP_Imphash_Mar23_3
Link:
https://app.threat.zone/submission/cfc09887-8216-4df2-b331-cf2462d50391
Unpacked files
SH256 hash:
bd4312e6893b24170a1fc802d098ccaf74a6bfce91b657e2ed02f93e5243aa3a
MD5 hash:
90f178803e60a3fe975bb385c8baf0e9
SHA1 hash:
c8119e942f2128072021e267d8b93e1ba87371f2
Detections:
Sliver_Implant_32bit
Create hunting rule
Sliver_Implant_32bit
Create hunting rule
Link:
https://www.unpac.me/results/b5fd5760-2d08-4f2d-9c9a-9f147bde323e/
SH256 hash:
ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d
MD5 hash:
205eba033c31a42d83971958eee8d0eb
SHA1 hash:
e3d5f4892f18e97e4be26c7e0e92d2d8411f2fe0
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/b5fd5760-2d08-4f2d-9c9a-9f147bde323e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.98
Link:
https://yomi.yoroi.company/submissions/ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:GoBinTest
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Sliver

Executable exe ff9bc3cfec4322f8bdb6ca3c81a9e0d602e4a660a9d85aa76c76b18330515d4d

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3202206/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA

Comments