MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af
SHA3-384 hash:	4817496e1ac83fa09a01e87d8483eec4704adbcb9a37bbb6f1907462167dad19824d64e1320346dc161b691e71d4a42b
SHA1 hash:	aaae75218c97aad055740abdde401057022a7e40
MD5 hash:	3a7736b1cf401a3bb35d1c287c225aa1
humanhash:	ohio-winner-mars-leopard
File name:	0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af
Download:	download sample
File size:	1'537'536 bytes
First seen:	2022-07-13 06:32:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:Ox0vtufKPsjpkbPwdnITPkGr9HtTwkpXDvASps9ojoU6ISv3OvSJ9QFQfrXu:Om7hzwdcsGttTwsUA0cSPaQf
Threatray	109 similar samples on MalwareBazaar
TLSH	T18865AF62F9C2C1B2FDD515BA82FE2B371F394506632984E776C419E09AA10E275BF343
TrID	62.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 23.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 4.1% (.SCR) Windows screen saver (13101/52/3) 3.3% (.EXE) Win64 Executable (generic) (10523/12/4) 2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	JAMESWT_WT
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286762/

Detection(s):

Win.Downloader.Powershell-9856919-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

cmd.exe greyware packed

Link:

https://www.filescan.io/uploads/62ce675fd6d93426cee905db/reports/d1568819-74f9-438f-8d1d-c791e079140f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/27609f9f-1313-4035-a450-bebf5cd5693d

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1029905

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2022-07-07 07:34:19 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 26 (84.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bkm555l6shctaqod7jhfaad65ylpvbggyql6ggrr3qqz5vwdscxq._file

Verdict:

malicious

1b7d7515f98891cf08164a7469bb9c9f3133e7834cfe99d55094594ca330e982

1f68e889d3c4c7f8049bad4abd042fcd05e84ac96bf23d86e2e95aa8fe346593

3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676

5b8d0e358948f885ad1e6fa854f637c1e30036bc217f2c7f2579a8782d472cda

76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1

8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23

9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3

aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211

ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846

+ 99 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

collection spyware stealer

Link:

https://tria.ge/reports/220713-ha8f3seaa7/

Behaviour

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Reads user/profile data of web browsers

Loads dropped DLL

Unpacked files

SH256 hash:

746b5f43db865fdac22d7611f0beb515498a5f047d594553d732a002b1134502

MD5 hash:

d331e03a21747b61abff259b5dc6b826

SHA1 hash:

209dabe7f9e6dda29f6579685e259227e91080c5

Link:

https://www.unpac.me/results/ee548a4b-4699-4a2d-a702-362a139a3864/

SH256 hash:

087d7cdefdec2a5d42c820e3ef26a355d4f0de4ea70ed60a68ee8b5548bab316

MD5 hash:

d584a0288b54e87c0c2325ce14448557

SHA1 hash:

b22554e078c160b28412d0012ccadcc6fde193e8

Link:

https://www.unpac.me/results/ee548a4b-4699-4a2d-a702-362a139a3864/

SH256 hash:

0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af

MD5 hash:

3a7736b1cf401a3bb35d1c287c225aa1

SHA1 hash:

aaae75218c97aad055740abdde401057022a7e40

Link:

https://www.unpac.me/results/ee548a4b-4699-4a2d-a702-362a139a3864/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/0a99def57e91c53041c3fa4e50007eee16fa84c6c417e31a31dc219ed6c390af

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286762/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample