MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c850189152813ace3063af65fad784dace09ebd9778423c04aa0881b0d0cc09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	0c850189152813ace3063af65fad784dace09ebd9778423c04aa0881b0d0cc09
SHA3-384 hash:	5a31c55db674aeaa3eda53aa743ed40707dd4d4016633d3e430411ab9b4c190a49e3cd823a53df0dd80cefeae4af8600
SHA1 hash:	c8addca093c9e753fc817e8e2887b20aef88ef8d
MD5 hash:	ee1666df78ae700e9056e58a01180e56
humanhash:	march-video-zebra-mango
File name:	me.exe
Download:	download sample
File size:	832'512 bytes
First seen:	2022-01-20 14:42:18 UTC
Last seen:	2022-01-20 16:58:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:P10T519WfXGI9WfXGI9WfXGiiiiE9WfXGd333:PgefXkfXkfXMfXk333
Threatray	102 similar samples on MalwareBazaar
TLSH	T1F30502367F816315C74E8BB48D7DAC1063B8F98A3C18CA5E89462DE55338BC2976473B
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

174

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/221122/

Detection(s):

SecuriteInfo.com.Variant.Bulz.648230.13721.28162.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for synchronization primitives

Сreating synchronization primitives

Creating a window

DNS request

Sending a custom TCP request

Launching a service

Launching the default Windows debugger (dwwin.exe)

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed print.exe replace.exe

Link:

https://www.filescan.io/uploads/61e974f8d32385db630f4eef/reports/9289cb91-b03d-4a7d-9483-cccc9578c22f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Gathering data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/924450

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0c850189152813ace3063af65fad784dace09ebd9778423c04aa0881b0d0cc09/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-20 14:41:18 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 27 (74.07%)

Threat level:

5/5

Verdict:

malicious

3d8a089bef3b81470f2929bffeb1e2bd44ca72d7fb549c0381b83689c74114bf

5c32a6274a0a7bd4e25bc4f55d8b27f649b99bfcc00b325462c2b413fcf1e95b

6c87c4d4bb0afb52c271455df2c87d6c1f45168dae2cf999c1cd28f8a19199b3

73ab05f133367a68416c97ca773dee832f5468b7e5413ccd195ad1213b2899b9

79e5689152f3865a8d93d733e56d120c129b338c3d1ee91b90f3eb4ff43f1622

85f1d65f7f13aef5ef14ddfd2e556b84a34b46efc9adfa2d078033081f1222d0

dd4d4174a3dc3aa9f5ebff021eb9e561b6e22197d84d4611c6bd83c6cf9ac875

+ 92 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/220120-r3k1xsach3/

Behaviour

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Drops file in Windows directory

Sets service image path in registry

Suspicious use of NtCreateProcessExOtherParentProcess

Unpacked files

SH256 hash:

8b25188a1581753b0faa89a7e371d2cc852fd95635b8503b6b20a4263af486e8

MD5 hash:

384cab014157440d3c462a97689e40ff

SHA1 hash:

4b91e7dfd574e04db14d2e3223df9327a5b95ba2

Link:

https://www.unpac.me/results/5d70d242-52d3-42a2-ae06-710877ce0348/

SH256 hash:

0c850189152813ace3063af65fad784dace09ebd9778423c04aa0881b0d0cc09

MD5 hash:

ee1666df78ae700e9056e58a01180e56

SHA1 hash:

c8addca093c9e753fc817e8e2887b20aef88ef8d

Link:

https://www.unpac.me/results/5d70d242-52d3-42a2-ae06-710877ce0348/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/0c850189152813ace3063af65fad784dace09ebd9778423c04aa0881b0d0cc09

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/221122/

URLhaus

https://urlhaus.abuse.ch/url/1991619/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample