MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
SHA3-384 hash: 8246471a2ebf03dc8b60489e34087bc807c035be18c6c2b609b23f35f455bbc518a3c461adaa3098a50929638ea3b62e
SHA1 hash: 13690837235053762a538b4c5b2b601ec9f6bb22
MD5 hash: 666248c216a3f63828f739839230f9f6
humanhash: yellow-jupiter-sierra-nevada
File name:file
Download: download sample
File size:51'200 bytes
First seen:2024-11-21 19:10:57 UTC
Last seen:2024-11-22 04:00:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 768:CT6n3V7i+V39HhHw98cje6O7UgYWE8knmbN8vnoK:7i+/BHw98cyoWE8ks8vnp
TLSH T19533D99C766072DFC86BC876CAA82C64EA6074B7531BC313A05316ED9E0D99BCF151F2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter Bitsight
Tags:exe


Avatar
Bitsight
url: http://176.113.115.178/file.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
503
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-21 19:11:58 UTC
Tags:
amadey botnet stealer loader themida lumma stealc cryptbot purecrypter purelogs rat asyncrat remote miner
Link:
https://app.any.run/tasks/2127da22-ebad-4f58-bfc5-0f98d2cb1237

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.27616.28694.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673f8686d0583382434a3e27
Tags:
xtreme packed shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file
Searching for synchronization primitives
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP GET request
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Running batch commands
Sending a custom TCP request
Reading critical registry keys
Searching for analyzing tools
Deleting a system file
Stealing user critical data
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuser confuserex net obfuscated packed
Link:
https://www.filescan.io/uploads/673f85c88bfad4e5609d87db/reports/d339bfe0-7525-40e7-98d6-eb227db6cec9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b2e2d1a-a7f0-4995-98e8-6a4f10651b1c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1560438
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Downloads files with wrong headers with respect to MIME Content-Type
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Powershell drops PE file
Sigma detected: Disable power options
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Stop EventLog
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ipconfig to lookup or modify the Windows network settings
Uses powercfg.exe to modify the power settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560438 Sample: file.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 86 246.204.9.0.in-addr.arpa 2->86 126 Antivirus / Scanner detection for submitted sample 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 Yara detected Powershell download and execute 2->130 132 20 other signatures 2->132 15 file.exe 2 2->15         started        18 Mig.exe 2->18         started        21 svchost.exe 2->21         started        signatures3 process4 dnsIp5 82 C:\Users\user\AppData\Local\...\tempScript.js, ASCII 15->82 dropped 84 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->84 dropped 24 wscript.exe 1 1 15->24         started        106 Detected unpacking (changes PE section rights) 18->106 108 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->108 110 Machine Learning detection for dropped file 18->110 112 3 other signatures 18->112 88 127.0.0.1 unknown unknown 21->88 file6 signatures7 process8 signatures9 136 Suspicious powershell command line found 24->136 138 Wscript starts Powershell (via cmd or directly) 24->138 140 Windows Scripting host queries suspicious COM object (likely to drop second stage) 24->140 142 Suspicious execution chain found 24->142 27 powershell.exe 10 19 24->27         started        31 powershell.exe 7 17 24->31         started        process10 dnsIp11 80 C:\Users\user\AppData\Roaming\CMD.vbs, ASCII 27->80 dropped 154 Potential malicious VBS script found (suspicious strings) 27->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 27->156 158 Uses ipconfig to lookup or modify the Windows network settings 27->158 164 2 other signatures 27->164 34 wscript.exe 1 27->34         started        37 conhost.exe 27->37         started        92 176.113.115.178, 49704, 49705, 49706 SELECTELRU Russian Federation 31->92 160 Writes to foreign memory regions 31->160 162 Injects a PE file into a foreign processes 31->162 39 RegSvcs.exe 3 31->39         started        42 conhost.exe 31->42         started        44 ipconfig.exe 1 31->44         started        file12 signatures13 process14 dnsIp15 114 Wscript starts Powershell (via cmd or directly) 34->114 116 Windows Scripting host queries suspicious COM object (likely to drop second stage) 34->116 46 cmd.exe 1 34->46         started        90 176.113.115.177, 49707, 49711, 7702 SELECTELRU Russian Federation 39->90 118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->118 120 Tries to steal Mail credentials (via file / registry access) 39->120 122 Found many strings related to Crypto-Wallets (likely being stolen) 39->122 124 3 other signatures 39->124 signatures16 process17 process18 48 mshta.exe 17 46->48         started        51 conhost.exe 46->51         started        signatures19 94 Suspicious powershell command line found 48->94 53 powershell.exe 48->53         started        process20 file21 76 C:\Users\user\AppData\Roaming\LB31.exe, PE32+ 53->76 dropped 134 Adds a directory exclusion to Windows Defender 53->134 57 LB31.exe 53->57         started        61 powershell.exe 53->61         started        63 conhost.exe 53->63         started        signatures22 process23 file24 78 C:\ProgramData\Mig\Mig.exe, PE32+ 57->78 dropped 144 Detected unpacking (changes PE section rights) 57->144 146 Machine Learning detection for dropped file 57->146 148 Uses powercfg.exe to modify the power settings 57->148 152 6 other signatures 57->152 65 dialer.exe 57->65         started        68 powershell.exe 57->68         started        70 cmd.exe 57->70         started        72 13 other processes 57->72 150 Loading BitLocker PowerShell Module 61->150 signatures25 process26 signatures27 96 Injects code into the Windows Explorer (explorer.exe) 65->96 98 Contains functionality to inject code into remote processes 65->98 100 Writes to foreign memory regions 65->100 104 4 other signatures 65->104 102 Loading BitLocker PowerShell Module 68->102 74 conhost.exe 68->74         started        process28
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=absv2gwbt5775k4bfj37toc7a76o26hh5mt4mqnq4dhcl4ljmpna._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection defense_evasion discovery evasion execution persistence trojan
Link:
https://tria.ge/reports/241121-xvyjyavngt/
Behaviour
Checks processor information in registry
Gathers network information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Browser Information Discovery
Command and Scripting Interpreter: JavaScript
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Power Settings
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Indicator Removal: Clear Windows Event Logs
Loads dropped DLL
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Sets service image path in registry
Stops running service(s)
Modifies security service
UAC bypass
Malware Config
Dropper Extraction:
http://176.113.115.178/FF/2.png
http://176.113.115.178/FF/3.png
http://176.113.115.178/Windows-Update
http://176.113.115.178/FF/1.png
Verdict:
Malicious
Tags:
red_team_tool
YARA:
SUSP_NET_NAME_ConfuserEx
Link:
https://app.threat.zone/submission/668a4ecf-f8eb-41d2-828a-46e63158941f
Unpacked files
SH256 hash:
eca1c38f6862f1e4cb507a0cc612ad13ea8f52500a4b7897d785a9875b3d2331
MD5 hash:
fd49d18795bec83a2eee1ad81b082c48
SHA1 hash:
90cae96151eed78e45229f703b7f819e96e10a32
Link:
https://www.unpac.me/results/67c7457b-6b1e-4e16-b228-943f17cbbee4/
SH256 hash:
00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da
MD5 hash:
666248c216a3f63828f739839230f9f6
SHA1 hash:
13690837235053762a538b4c5b2b601ec9f6bb22
Link:
https://www.unpac.me/results/67c7457b-6b1e-4e16-b228-943f17cbbee4/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/00655d1ac19f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 00655d1ac19f7ffeab812a77f9b85f07fced78e7eb27c641b0e0ce25f16963da

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3298518/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments