MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
SHA3-384 hash: 3f97272e5c7b89b537e35ea93c5997796bfd57af71aa63ad99c1e5b00f4313bc8bf1887c4e821ff05d8613f5cc95ab11
SHA1 hash: f1009c96203862812cefa14e186dcff610ccc634
MD5 hash: 532524e6b61b197d92f3bd4ed3331d3d
humanhash: kentucky-winter-two-utah
File name:SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.22959
Download: download sample
File size:747'008 bytes
First seen:2020-08-01 19:30:25 UTC
Last seen:2020-08-02 07:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3PokR3Wry+Qs4SsyWJQ1r0S7pvhnGlDKacgEcqnn/cKWmbzILD69g5qAvJZ:/okR3WryKEJ4rLJJGlDpEc+/Pbz6G9GJ
Threatray 13 similar samples on MalwareBazaar
TLSH 7FF46D917398CD16C17E437194EE082847FCC705A7E2EBA62A9065F139C37913E9E1AF
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
2
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Dcrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/36985/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.18359.4542.4750.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Launching a process
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Connection attempt
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/406678
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255570 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 01/08/2020 Architecture: WINDOWS Score: 96 47 .NET source code contains method to dynamically call methods (often used by packers) 2->47 49 Machine Learning detection for sample 2->49 51 Machine Learning detection for dropped file 2->51 53 4 other signatures 2->53 7 SecuriteInfo.com.Trojan.PWS.Steam.18359.22695.exe 19 2->7         started        11 RuntimeBroker.exe 3 2->11         started        13 MJnEFvNgIJqiFpsMVAANBvKDsiT.exe 3 2->13         started        15 svchost.exe 2->15         started        process3 file4 37 C:\Windows\Offline Web Pages\svchost.exe, PE32 7->37 dropped 39 C:\Users\Default\RuntimeBroker.exe, PE32 7->39 dropped 41 C:\ProgramData\dbg\svchost.exe, PE32 7->41 dropped 43 7 other files (6 malicious) 7->43 dropped 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->57 59 Drops PE files to the user root directory 7->59 61 Drops executables to the windows directory (C:\Windows) and starts them 7->61 65 3 other signatures 7->65 17 svchost.exe 7->17         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        25 3 other processes 7->25 63 Machine Learning detection for dropped file 11->63 signatures5 process6 dnsIp7 45 94.250.251.54, 80 THEFIRST-ASRU Russian Federation 17->45 55 System process connects to network (likely due to code injection or exploit) 17->55 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 07:04:22 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e
674cac26b5ee006a476669c6857e24a8187ef94945d521c8bbe9069ec74494ba
80b0c19bc7b0f30f3f6ebcef118f54efca43e46acd327dde7a4ca97a257b4c7b
bc742c33c446a25e6482c4209436088415d5c89a7f8ab66f37f16006d62344ac
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
f9b7ef320dd7f76be9bdf12f14f0875a9f52165b989376cd1f2e2d23cdb52fe5
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200801-6feys3e6a6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Drops file in Program Files directory
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/420764/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/36985/

Comments