MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ApolloAgent

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d
SHA3-384 hash:	75d1c16d33578a81a5bae72b7e83e8d91031082fc6a5bd84826cb1849e99c4db1ecac210cb018ba31187ee23d83a2189
SHA1 hash:	ba62c0d50779702aca9a5ba9df2d81107aacf89b
MD5 hash:	bcbb1cc9f78c21384ed244b1c57711ca
humanhash:	april-eighteen-arkansas-bravo
File name:	apollo.exe
Download:	download sample
Signature	ApolloAgent Create hunting rule
File size:	2'095'616 bytes
First seen:	2024-10-05 13:06:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep	49152:/kqXfd+/9AqbXHeWQmVNDfHOWHLwNveZvgPydGKf+DrIEjR6gg5tHu+kP:/kqXf0FfbXHRNVlPwx4vgPydGq+Dd6FU
Threatray	2 similar samples on MalwareBazaar
TLSH	T1C6A533116BD5404CC773467EA47937221EBCB92998ECD3CF0645BA670ACFB440ACA7A7
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	rado
Tags:	ApolloAgent exe

Intelligence

File Origin

# of uploads :

# of downloads :

434

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

apollo.exe

Verdict:

No threats detected

Analysis date:

2024-10-05 13:07:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/34898d90-bbc2-470e-b4c1-4d4350e82ecc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=670139c0ebeac9e68050b8d9

Tags:

Packed Micro

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/670139f99ee059f0d6e3456f/reports/a5db45d6-505f-4f36-8d2b-3d0bb4efa63f/overview

Verdict:

Malicious

Labled as:

Trojan.Apollo.Marte.A.Generic

Link:

https://www.hybrid-analysis.com/sample/0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mythic

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/78579e36-2920-4af8-a0f4-2600d8a07331

Result

Threat name:

Apollo Agent

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1526396

Signature

.NET source code contains potential unpacker

.NET source code contains process injector

.NET source code references suspicious native API functions

AI detected suspicious sample

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Apollo Agent

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d/

Threat name:

ByteCode-MSIL.Trojan.ApolloMarte

Status:

Malicious

First seen:

2024-10-05 13:07:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 24 (58.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=brru5f3fy5qxejjkzrds4gtg5j3ztp6px3fiozftvvjwibblgewq._file

Verdict:

malicious

Label(s):

apollo

apollo_mythicc2agent

ApolloAgent

6a2bc5111b7ea9c4c6fdca0db462187b8b9b1ef009bd2d28a2a0124e3d31b95d

ApolloAgent

error

ApolloAgent

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/241005-qb3k8atdkl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/8bb118ce-7c52-4f91-aeb7-ad53cc351e62

Unpacked files

SH256 hash:

389d1ef78d535559e72129d667fbcef2c555ffbf799111eeb56dd83a59c6ed76

MD5 hash:

33782e63d522a739dd090841bbf4c13f

SHA1 hash:

c66fd17fabb2b7b76af5c40b980537e531bc43e9

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

adf3aa996548da20eafa6104d1edea3fed37570338f8564e220128c1a29e1fc5

MD5 hash:

26e5dfaa30bbc34c3cffd223434822f3

SHA1 hash:

ab7ab358b97ccf7c9b89a78fe4a6fe25549569b4

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

dae92de15646e88f64455a4170f92c62d361c37dbc146b508dd576a34cdad63e

MD5 hash:

c7a443bb9f8df050edff6860bd4d60d6

SHA1 hash:

7b249452e09661d087787d9b3620e83de01bacfc

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

97f1fdf51f00b8c22f4ae1e0ea22c0679e4f1ed5efe56d35ca80d86148e88c6f

MD5 hash:

b8e3dd19a7a751a31dec68fc294243fe

SHA1 hash:

742b45fee42d2df423f97013a14697b18c433de1

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

e7daaf8fbfca4b21578071c8975ba6ac4ceb246dd4ef34730f261d12aec0f632

MD5 hash:

4e0b1ba3335e3f3a461f8f785e120a0f

SHA1 hash:

5efc54ff3e535ea79bb208e2790332188039f6d8

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

2e619e0ab8f74aef77ba31ff2e7102b620f15363b09f15caa6ce7752819b2222

MD5 hash:

dd7fa30de9e681e27b6066c161b5ebc2

SHA1 hash:

35e66501a1ba563805ce02925e514cc36694db9d

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

330a4c2f4c68ab3faa4c43966cbfa7098df5c83b564fdaa2103e56374239dfcf

MD5 hash:

b8f369ad33a4525c203417a5670ce00f

SHA1 hash:

2b09e4a29afb556947ea1fe1a17e2dff6832d409

Detections:

SUSP_NET_Large_Static_Array_In_Small_File_Jan24

SUSP_NET_Shellcode_Loader_Indicators_Jan24

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

c815c8a317ea4c8391c2a9bc04065fd73c646f2b9ae874368abdb2f06a981d28

MD5 hash:

ccc979866f5c306da5d12cfcc0587a0d

SHA1 hash:

24b5bc81e2ba35642cf0859d9d0b90e90a9cccfd

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

733929248cdd87d1c2f93643fea4608cd87e395d1c9c2afbc4449eca44649aa8

MD5 hash:

6e3be9b3e406221021a93f7ae01dab1f

SHA1 hash:

212297a1b0dbfbe87d72814d29fa44f448e7c34e

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

cf5be845bb628c0d3ff1513e89a36b1b1b7623515bff5a4865ae19ba16bbc7c0

MD5 hash:

792fad52effddcfa180ba24e9bf7d63d

SHA1 hash:

1e3ca1ac10245a40870fda4aca0923ccc9fac137

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

SH256 hash:

0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d

MD5 hash:

bcbb1cc9f78c21384ed244b1c57711ca

SHA1 hash:

ba62c0d50779702aca9a5ba9df2d81107aacf89b

Link:

https://www.unpac.me/results/63f918d9-812f-4164-b3d3-619f3a2f0bb7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.77

Link:

https://yomi.yoroi.company/submissions/0c634e9765c76172252acc472e1a66ea7799bfcfbeca8764b3ad5364042b312d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample