MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 046fc39c1c9c3bb2a6fbad55853839dfc6849140c45daa347a27c13bb2656908. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	046fc39c1c9c3bb2a6fbad55853839dfc6849140c45daa347a27c13bb2656908
SHA3-384 hash:	7d960ef7df46b2f49b592dd3c42dbe77ef8980788b743773fda90fe389e05a9c5fd2093ae11c3d1e6c8240dcf26f869b
SHA1 hash:	0aeeebade094217a51d82ad6142a42edce0a079d
MD5 hash:	48f109b9ccdd25f4048fe3fd626e5e9e
humanhash:	eleven-zebra-mountain-bakerloo
File name:	Signed Contract.exe
Download:	download sample
File size:	519'168 bytes
First seen:	2021-02-03 14:23:02 UTC
Last seen:	2021-02-05 17:11:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:4Zi9709qmIZv/39IYP5XAg0lopb4DNxkGKllhK:4ZcIYP5XASyEhd
Threatray	8 similar samples on MalwareBazaar
TLSH	AAB4F1153ABC5F47D3756BF909B0A02057BD2A1A3825D31C8EA538EC6A34FDD9A80F53
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Signed Contract.exe

Verdict:

Malicious activity

Analysis date:

2021-02-03 14:24:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5b1e8149-4e23-41a9-a9c4-b4551182a10e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/115341/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42827.4734.9549.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/597899

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/046fc39c1c9c3bb2a6fbad55853839dfc6849140c45daa347a27c13bb2656908/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2021-02-03 02:25:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=arx4hha4tq53fjx3vvkykobz37dijekayro2und2e7atxmtfneea._file

Verdict:

unknown

5df6a51ec936167b8114908fc71c56acd21bb594b58bec1056d477a51a5d9c87

cacfd3f384737f85e02f8c4dfad0689a71b228c8b930995c24da43582f688a64

d16ef5665f424549664067281a16d00a497cb7c9def17be02ad609686f5959ff

d4fe5652b38307f15145ad7bbb8b7934b007272eade6eb337c21208e7f35025c

d720d5e55684cbf894809d5963e95d6613af588bfaeb0ecfa6001beb533d0232

e2136c8268bb5be4fe2a295a9bb9250c00437452cd3d65822290e3a68b1fb94b

e9b069d8601f3c5af52496366ce5921ad0a5938c1f25e18602355027c26ed631

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion ransomware

Link:

https://tria.ge/reports/210203-2e7d9dbm9n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Unpacked files

SH256 hash:

a2a0bbbe8c9ee88441356010f63455c50dfcafe663db757bbc453c815c51d720

MD5 hash:

11e80c54bfeff7f0c120dae46df0a8be

SHA1 hash:

d597b9b0dcac06f0aa00a931bb90de8eba564651

Link:

https://www.unpac.me/results/6d16a52f-9a24-4978-9cee-5e8f245dc893/

SH256 hash:

cb6ec765adaccfb981249ba94945bed1946e7e03694cb1c18a9fe6553fd30e9c

MD5 hash:

de63761b704e5bae518a880493a9fd28

SHA1 hash:

01ea693ca2d80520d506b81ed4b9888f6d103a74

Link:

https://www.unpac.me/results/6d16a52f-9a24-4978-9cee-5e8f245dc893/

SH256 hash:

046fc39c1c9c3bb2a6fbad55853839dfc6849140c45daa347a27c13bb2656908

MD5 hash:

48f109b9ccdd25f4048fe3fd626e5e9e

SHA1 hash:

0aeeebade094217a51d82ad6142a42edce0a079d

Link:

https://www.unpac.me/results/6d16a52f-9a24-4978-9cee-5e8f245dc893/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/046fc39c1c9c3bb2a6fbad55853839dfc6849140c45daa347a27c13bb2656908

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/115341/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample