MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0
SHA3-384 hash:	2e5669aa5b16d6a0f36c94ab3e2ac8d17707c504306a4d0fe59409f07578a7d4bc8184dac90ad783541e2aaf075e6b91
SHA1 hash:	adb9c2dacff8386cc54eac3f96d28494c3fe68c5
MD5 hash:	7201884e2b338a79b14892911c14a7f0
humanhash:	ten-hawaii-lemon-hydrogen
File name:	0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0
Download:	download sample
File size:	1'491'968 bytes
First seen:	2021-10-08 07:44:35 UTC
Last seen:	2021-10-08 09:05:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	24576:l+t0D9jaWAsmt2AbKd051/x6Osdu21Xq04SoQ6h/Aijym1LvbuhZUTdQn:+0gWAsmwAbKy1/YTdu21Xq0nJo/3JbM
Threatray	11 similar samples on MalwareBazaar
TLSH	T1C065338CAE49CCABCF8512763C4621675A70EB5208418C81FCB92FE5CF4F75C6EB6189
Reporter	JAMESWT_WT
Tags:	Aerospace and Telecoms Firms exe Novel RAT

Intelligence

File Origin

# of uploads :

# of downloads :

214

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0

Verdict:

No threats detected

Analysis date:

2021-10-08 06:25:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/13a15b63-d5d3-4648-bdf2-176631b0ad39

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/196083/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop18.4271.5463.1852.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/615ff707b95458900cdf069c/reports/756d5486-9c0f-448b-89db-3880511b9430/overview

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9695e50a-99ca-4457-ae4c-c8f65b872729

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2021-10-07 02:37:00 UTC

AV detection:

10 of 28 (35.71%)

Threat level:

5/5

Verdict:

malicious

2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7

3d13bbe7750e38414ba19fd51fe8a253d791edb6a923af31fe5d56ae17af0eec

3e4d51c93e584902549b54e3b22595a4f78a87a9eb4648be7af3b5cc6a682078

49c41771e8e348b30de43d1112221c71a6497794b541fead7f3b2eab706afba3

571fbb18f4fb9c36e5a991451316360fb81e5e537604b8fe7143b79fb3b926b5

915caf575fdbc904c0d5a3755135545f76b81bf633cdac3c98b85bd0ab76dfb6

a86d574b0b47c886fa1c8e31a0e4486d53398d58641c4c04ecdbf80e34922e33

a89639671659b81c5fcbdd2760590d6150fb4b1cd35ad0ac24ff6cdcf59bb079

db23d6f5e2123cde47f4e3178bf18063aa3270d13499991200c9074a837eff07

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://tria.ge/reports/211008-jld72sdfeq/

Behaviour

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Drops file in System32 directory

Looks up external IP address via web service

Unpacked files

SH256 hash:

19e040305fb57592bb62b41c24e9b64162e1e082230a356a304a3193743b102d

MD5 hash:

3d8416cee742706e130e352ea95a6ba3

SHA1 hash:

ec374dc41d9f6a751bf876da990f99ef362e0e1b

Link:

https://www.unpac.me/results/295847a4-f8c2-4f8c-a62b-e540cc2f9ce1/

SH256 hash:

d7aa669de0f8a0cdb898cf33ac38ae65461de3c8c0c313c82ee8d48e408e4c4d

MD5 hash:

c8bd4acd2977d63606362ab0375b1368

SHA1 hash:

964f4e1ab9ea3ca140e2b6323e2c80ba1fe343f7

Link:

https://www.unpac.me/results/295847a4-f8c2-4f8c-a62b-e540cc2f9ce1/

SH256 hash:

4d30dfb1d66c7a472cca11c22962f466762a08c1dfcfb18a9f75b2e4cf7c38ee

MD5 hash:

9052b081d5aaa0349532dbfb25ec5e9d

SHA1 hash:

799c4aced22fe62b0879c45eb85aac9f189ce6dc

Link:

https://www.unpac.me/results/295847a4-f8c2-4f8c-a62b-e540cc2f9ce1/

SH256 hash:

0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0

MD5 hash:

7201884e2b338a79b14892911c14a7f0

SHA1 hash:

adb9c2dacff8386cc54eac3f96d28494c3fe68c5

Link:

https://www.unpac.me/results/295847a4-f8c2-4f8c-a62b-e540cc2f9ce1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0b36693f3ce4197006131e3f127e83807c8afc175da08f18dc0aaa454e6790e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/196083/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample