MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
SHA3-384 hash: fabf4971d24876f23df205f99af855a2bb22972a405e461cfafb5de8d743b421fe4bd7f56d531697bd946453d367f539
SHA1 hash: 34d8a60c677068deaf60dde44371ec5685a9cd3c
MD5 hash: 1b936f050d48d226835f721249e103a4
humanhash: ohio-butter-chicken-hamper
File name:ExeFile (354).exe
Download: download sample
File size:1'148'416 bytes
First seen:2024-08-20 14:13:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:Cp8p0mDe7KwRb/mOTU33K1Q5oeBFYZsEzu6xtCqocbV+W5rKL8GeiKdOFkbUpJoM:u8prmqc86OVBKK6xtcCiyOFwY2nU
Threatray 561 similar samples on MalwareBazaar
TLSH T17935CF80278B6E89E3CED37960A86B195130F3B5B55323C97F2DDA34C79A352DE45E80
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon 1359693159b82869 (1 x RedLineStealer)
Reporter byMattii1234

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ExeFile (354).exe
Verdict:
No threats detected
Analysis date:
2024-08-20 17:07:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/df059cc6-a453-4586-9cd2-f1c3fee89e61

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Bulz.163669.27038.5975.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a4b8e7ff3f5a063ba054
Tags:
Generic Static Variant
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hook packed packed
Link:
https://www.filescan.io/uploads/66c4a4979498a0e255aff7d8/reports/236c8b97-80cf-43d5-825f-ad4449604295/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c0f1323-1358-4f2a-980a-ed20e3f6b8c2
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1495918
Signature
AI detected suspicious sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bn3yq46jj5v4rgsaffga5bndrk4ckcjgbtjkf2fxhuamlsioq5lq._file
Verdict:
unknown
Similar samples:
04ea5c74e910a261b38f769a145ce0f7370badc8f88f53715c44bb73899bc736
477a06dbbff57c765255c72f2ff7d72129269d9c66483e75abe3dbdab2432104
574a54bc3a0667b656cd0a41974cf676a9939d1e2c5a3e3984e4dcd3ba49a744
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
90528c5ebed228a240f11f108c5ca65eb1f9e2b93c30f781f4a5d03c299a9a52
9802a11bca599736bb7d56c2866a87a3363a2de0edc4848974c812d11f99c87f
fc37e01bcc7919699ec81a825718d0639eaf85eef7e7b87111ff33b53fd09b0b
+ 551 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet bootkit discovery persistence
Link:
https://tria.ge/reports/240820-rjqr3awdqa/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ef0b8573-dc2b-4dcb-8d2e-1ee5166797e8
Unpacked files
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Detections:
INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Link:
https://www.unpac.me/results/fce17823-d06f-4961-8ac1-bddec467eaec/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
MD5 hash:
1b936f050d48d226835f721249e103a4
SHA1 hash:
34d8a60c677068deaf60dde44371ec5685a9cd3c
Link:
https://www.unpac.me/results/fce17823-d06f-4961-8ac1-bddec467eaec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/456442/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments