MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350
SHA3-384 hash: 873d12074731bc5071818214400092674b6f8b6193e8528770fb6764359ebeaa75f21169acaddfa187bb8cc11141e0a5
SHA1 hash: dc93b8684344bdd673de6e658f460e4560cb9ab8
MD5 hash: 67283d1204f42de38d9d7ccaf4cc3b65
humanhash: iowa-utah-pip-april
File name:78c21f56ab5da492b7eaf3ccaa974b74
Download: download sample
File size:405'821 bytes
First seen:2020-11-17 12:40:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 12288:46Wq4aaE6KwyF5L0Y2D1PqL5VtQcrhPHog:OthEVaPqLV1
Threatray 202 similar samples on MalwareBazaar
TLSH 238401C1F38CAD84E62026F204CE29B2C3696F766320933B601565E7A9AD1E3557F71F
Reporter seifreed

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Deleting a system file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a process
Changing the Windows explorer settings to hide files extension
Launching the process to create tasks for the scheduler
Enabling a "Do not show hidden files" option
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350/
Threat name:
Win32.Trojan.Svhoder
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 12:44:47 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
38e5fde6988bbf02467d7b59ba15a3dfbdaedfab4804c60cf3ae44db6b48a844
62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a
63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc
9129967bfcf44c87ec6eb83a30f5500a5e453c76281b7ec3b0c1caa778377e08
aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7
b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4
cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83
+ 192 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/201117-frg1xpm54n/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
UPX packed file
Modifies visibility of file extensions in Explorer
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350
MD5 hash:
67283d1204f42de38d9d7ccaf4cc3b65
SHA1 hash:
dc93b8684344bdd673de6e658f460e4560cb9ab8
Link:
https://www.unpac.me/results/ffd97dac-7275-4ca8-bc09-2fd94fb3a89f/
SH256 hash:
2e7eba478f5ebcc252fc087ed6acd0adc53e561836ddb279a6eca6aa4ae2a5bd
MD5 hash:
52b511f0c75f6b83f490a1c7813db6f5
SHA1 hash:
a01e63c697e85f2ce7ab8ccfe91d69cbe09b4b53
Link:
https://www.unpac.me/results/ffd97dac-7275-4ca8-bc09-2fd94fb3a89f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments