MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d
SHA3-384 hash: 71a58276e0cbb74bc4de2d86cdfb22211b3e004c2f32a969f70cfb4b5d3a237edd58762d245ca3fb39e0b42c7ad44325
SHA1 hash: 080bde2af672c6559f34d13d09deff0c19a02ff3
MD5 hash: a17b2168e387499d984ce735b429c203
humanhash: michigan-minnesota-golf-finch
File name:SecuriteInfo.com.Trojan.InjectNET.14.5313.13654
Download: download sample
File size:521'216 bytes
First seen:2020-12-23 22:33:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:XLoYoO3mtiuOGZN6xnl2QU99th6YxPbpIdDSj9L:cKRulgITTtLpN0DSj9
Threatray 17 similar samples on MalwareBazaar
TLSH 04B43B5491E0475AC0FFDFFD8BC52A02CFE0591A9D21DE9A289543DF46A6B82F930B07
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
452
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ae0de96557c8b19cd5afe41809fcb77.exe
Verdict:
Malicious activity
Analysis date:
2020-12-23 19:09:50 UTC
Tags:
trojan rat azorult stealer vidar loader remcos
Link:
https://app.any.run/tasks/6bf17faa-b571-445f-bc61-1a16922efaca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109243/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.5313.13654.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/569478
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333799 Sample: SecuriteInfo.com.Trojan.Inj... Startdate: 23/12/2020 Architecture: WINDOWS Score: 96 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected AntiVM_3 2->47 49 .NET source code contains potential unpacker 2->49 51 2 other signatures 2->51 8 cmd.exe 1 2->8         started        10 SecuriteInfo.com.Trojan.InjectNET.14.5313.exe 3 2->10         started        14 taskkill.exe 1 2->14         started        process3 file4 16 m0qmkp0d.exe 1 8->16         started        19 conhost.exe 8->19         started        35 SecuriteInfo.com.T...NET.14.5313.exe.log, ASCII 10->35 dropped 53 Injects a PE file into a foreign processes 10->53 21 SecuriteInfo.com.Trojan.InjectNET.14.5313.exe 4 10->21         started        24 conhost.exe 14->24         started        signatures5 process6 file7 39 Antivirus detection for dropped file 16->39 41 Multi AV Scanner detection for dropped file 16->41 43 Detected unpacking (overwrites its own PE header) 16->43 26 powershell.exe 1 16->26         started        33 C:\Windows\Temp\m0qmkp0d.exe, PE32 21->33 dropped 28 cmstp.exe 9 7 21->28         started        signatures8 process9 dnsIp10 31 conhost.exe 26->31         started        37 192.168.2.1 unknown unknown 28->37 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d/
Threat name:
ByteCode-MSIL.Backdoor.Tnega
Create hunting rule
Status:
Malicious
First seen:
2020-12-23 18:38:10 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1560eda2c12e3e8e92fbd9506d928b2b8fdc76c0f4c563dc97d346aefd69203d
65c8232de44a0edf4ad3419c24fc4aaa82be89fc4af9d0164b3fde64bc258a7e
66665d8a29a83e28eee87ea5c0b10d84247910af3aaea9aef9f4261836a92ec9
6fae12812270d9986246eaaa82a7807aa306a3de2c035a44e2a824b8bc28f99d
7f9578c24f8b3e867cfeb160edfbd605a823c918785dc1bc124924b600db6f11
877b397265d324ba44a102b1595e6e76e6c418c0d34d66b195ce0e4d53ab8ab8
8d72963427e5e1ece6579f890111e0b67da9d14bbb60f8cf5f3dbf8d699df48d
ac8a0b325adca9cc88fc6ee32c912024adfe5228024712e1c757183c51260d16
c02fd55323f979aec99086280ad0864be84f66585b4c427b5414ebf04879ee5e
cb581d356a20e0845006197aed2cc99463a9759f3f8c6a6d0783a553c88fda1b
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201223-szn27ds3lj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d
MD5 hash:
a17b2168e387499d984ce735b429c203
SHA1 hash:
080bde2af672c6559f34d13d09deff0c19a02ff3
Link:
https://www.unpac.me/results/aeaf9cf5-8ae3-4034-b823-e7f108225ab0/
SH256 hash:
087d0c0315da38a9c29aab66a628d05b169013d8135de9652e6a83bee15e8d8d
MD5 hash:
215d10c58de49c8d224e9a77d42961db
SHA1 hash:
2bb0effd16fb00c44aa78ba949a0e0d9a1cb4f94
Link:
https://www.unpac.me/results/aeaf9cf5-8ae3-4034-b823-e7f108225ab0/
SH256 hash:
dbf1333340641ab6cdffd02b5688479349d0b20484ebc1bcb00b8fb444029ecb
MD5 hash:
b90970676431070df0328ec2284b89e7
SHA1 hash:
7b79ec504218ccb487087ef71f0a8b48389804e0
Link:
https://www.unpac.me/results/aeaf9cf5-8ae3-4034-b823-e7f108225ab0/
SH256 hash:
259e7d5eaa8d9fde885f582d01304f089474e5f46c7f8062fe52af5d2b30f3b6
MD5 hash:
952f755cd4ba9cf974c07d71270d7d24
SHA1 hash:
951b36b7dcfd44af3786e90f4c9605ed69ddfb9e
Link:
https://www.unpac.me/results/aeaf9cf5-8ae3-4034-b823-e7f108225ab0/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/aeaf9cf5-8ae3-4034-b823-e7f108225ab0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 063f92b92f5711f274cd75cd9f70ea8f264769d738224dddfec7631c283c4a5d

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/109243/
  
URLhaus
https://urlhaus.abuse.ch/url/941170/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/941181/

Comments