MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee1c178a078c05fefdd698fe88e146a56f2fca009b5cd61492edb0b610304130. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA 1 File information Comments

SHA256 hash:	ee1c178a078c05fefdd698fe88e146a56f2fca009b5cd61492edb0b610304130
SHA3-384 hash:	611e91422db0f1f187d4010e6c6794a3f3f957d5beb96bc5b5991058752bb690f99a7b19549f67eb707ecfde741d8cd7
SHA1 hash:	6a384219c82525c601688d6b8973f49c91921ae1
MD5 hash:	bb1f7153f5869e31cb22c5c4c7f0d5e5
humanhash:	carbon-sink-mobile-cola
File name:	SecuriteInfo.com.BehavesLike.Win32.Generic.dc.22861
Download:	download sample
File size:	956'928 bytes
First seen:	2020-04-10 18:36:22 UTC
Last seen:	2020-04-10 19:31:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:R2xSgcMIDbJ2xQI2fuVU70n24uYwYWzf:R2x0P5IG7024uB
Threatray	15 similar samples on MalwareBazaar
TLSH	3D1501242AFF9019F173EFB957E8B9D2CA6EBA333A06E44D149243864613740ED9153F
Reporter	SecuriteInfoCom

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.dc.22861.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-04-10 16:26:04 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Verdict:

malicious

384b681234bcb71c52d6ac2bbe80207dd999f904e464e862adbb99ce25aec1f9

46720af001912e9313a78e5ecd74325e8c523568dfca01a63cc1dfef380d14b7

b398c602a2c9bab7ad128bcd189f83106244670cdf6b99782e59ed9d5435cef6

c6a79c01335416c78e765d551d49900b91c5ee5f85b42fba910a2e070e350476

d2b4884cc2df9f63f567a285574e1707286c08dd2ecc6ab3dfe7965cbe570ccb

dcf7492e81811ade045329a9d2da8324384ff11e1355ed4241210e12061e3ac2

e9c607f263a990db1bf0465c8688ed7ce7e5f294845041fb56af313df34f45df

eeff6ccf798f62c083d9ffb79d3807433c39cc153e85db8bab498d0c688af078

f5c1cfaf3b4793e3a93ed8cef3efd02e809e2c701178b2f3dcd548e89d139e1a

+ 5 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	win_blackremote_w0 Create hunting rule
Author:	jeFF0Falltrades

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ee1c178a078c05fefdd698fe88e146a56f2fca009b5cd61492edb0b610304130

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/337981/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample