MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 048ff51f732ece74602e0fa10a870ed5c74374a289f658d6d84da16c7b553e7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 048ff51f732ece74602e0fa10a870ed5c74374a289f658d6d84da16c7b553e7d
SHA3-384 hash: c5af9f46a42f05d7282090a83bcd3be1a2b3b3423a0f1dd277ec9f5df66deb85a36fd1508350745cc6be3b24d8a54a9f
SHA1 hash: fad5f56acd7203974cd52338469c536667cfb493
MD5 hash: c69a21090bee0a65c584df72b86ebb69
humanhash: massachusetts-queen-oklahoma-double
File name:c69a2109_by_Libranalysis
Download: download sample
File size:96'296 bytes
First seen:2021-04-27 22:02:30 UTC
Last seen:2021-04-27 22:49:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 768:a30zH9Zi7+g+4la6l5DSaqsBBqEN69yyh:aiHbKPHv5DSyB3N
Threatray 211 similar samples on MalwareBazaar
TLSH B693A142F6C7742BFBC69A3BE5DAF530066F1E4C2D53B01A9458F2406733ECA1E9046A
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c69a2109_by_Libranalysis
Verdict:
Malicious activity
Analysis date:
2021-04-27 22:05:12 UTC
Tags:
trojan dtloader loader
Link:
https://app.any.run/tasks/451c75f5-7c00-4432-9a96-f43446534a53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144714/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.6844.25332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a UDP request
Launching a service
Deleting a recently created file
Launching a process
Unauthorized injection to a recently created process
Enabling the 'hidden' option for analyzed file
Creating a window
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f09240f-5a87-42fe-89ae-1d15545f20b5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/699717
Signature
Adds a directory exclusion to Windows Defender
Detected potential unwanted application
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 398778 Sample: c69a2109_by_Libranalysis Startdate: 28/04/2021 Architecture: WINDOWS Score: 84 52 Sigma detected: Powershell adding suspicious path to exclusion list 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Detected potential unwanted application 2->56 58 4 other signatures 2->58 7 c69a2109_by_Libranalysis.exe 21 12 2->7         started        12 Chrome updater.exe 2->12         started        process3 dnsIp4 50 ldvamlwhdpetnyn.ml 104.21.85.176, 49712, 49730, 80 CLOUDFLARENETUS United States 7->50 38 C:\Users\...\c69a2109_by_Libranalysis.exe.log, ASCII 7->38 dropped 40 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->40 dropped 60 Drops PE files to the startup folder 7->60 62 Adds a directory exclusion to Windows Defender 7->62 64 Injects a PE file into a foreign processes 7->64 14 c69a2109_by_Libranalysis.exe 4 7->14         started        17 AdvancedRun.exe 1 7->17         started        20 powershell.exe 26 7->20         started        42 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 12->42 dropped 22 AdvancedRun.exe 12->22         started        24 powershell.exe 12->24         started        26 Chrome updater.exe 12->26         started        28 Chrome updater.exe 12->28         started        file5 signatures6 process7 dnsIp8 44 C:\Users\user\AppData\...\Chrome updater.exe, PE32 14->44 dropped 46 C:\...\Chrome updater.exe:Zone.Identifier, ASCII 14->46 dropped 48 192.168.2.1 unknown unknown 17->48 30 AdvancedRun.exe 17->30         started        32 conhost.exe 20->32         started        34 AdvancedRun.exe 22->34         started        36 conhost.exe 24->36         started        file9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/048ff51f732ece74602e0fa10a870ed5c74374a289f658d6d84da16c7b553e7d/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-27 22:03:11 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
3f0fa5c8ebb2640afc948bfd5c8bb0ba644222b3bc15c095085d718843d59915
4f450fcf02d7006fd4fbea8c2cad999397672d44864f1e8c504633ce53c3d53d
78baec19444d923fde30977dacb85fada9247b9e3ae150f32a1137e7fc0b8dfb
9c6abdf1e5ff719e261ea153555b981cd907ba5f79f50943d679d59967eba445
c3528956666ac901c406c13e9b265cb805424e91919db91a1fe2227ffbc15c7a
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
+ 201 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210427-m9g9p2fwes/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
048ff51f732ece74602e0fa10a870ed5c74374a289f658d6d84da16c7b553e7d
MD5 hash:
c69a21090bee0a65c584df72b86ebb69
SHA1 hash:
fad5f56acd7203974cd52338469c536667cfb493
Link:
https://www.unpac.me/results/0665f3d5-5843-49c4-b088-a7eacab99be0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/048ff51f732ece74602e0fa10a870ed5c74374a289f658d6d84da16c7b553e7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/144714/

Comments