MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


1xxbot


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
SHA3-384 hash: 299e547ef5bc2db9f9cc725dee05a60c35f99ad9544970e3fdf5e09e1def5e9f637a0a276684ddf9f2be1dbe24f51583
SHA1 hash: d30e8402cfdd0c2bb67c9c27fbba685682861818
MD5 hash: 473b99ecfc3b75620f6201898e1d8f74
humanhash: romeo-mountain-ten-gee
File name:473b99ecfc3b75620f6201898e1d8f74.exe
Download: download sample
Signature 1xxbot
Create hunting rule
File size:485'305 bytes
First seen:2020-05-14 06:18:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 12288:pANwRo+mv8QD4+0V16PWk92uU4pR0NNMRRlhuqggI9iFzm:pAT8QE+kuH97UqRuNMRduqgIzm
Threatray 564 similar samples on MalwareBazaar
TLSH B6A4F179B281857BC02209358C4B827AB53ABF005B7D64CFB7DE1E2D9D333191B6539A
Reporter abuse_ch
Tags:1xxbot exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 23:28:09 UTC
File Type:
PE (Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=btmex7lmrrpwdzsefbthl3haae5k72tkkohytgx4krf4xqgab52q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6daf0de596310cb04331ef266b7f0a5ee81672016edd8cd6876124a60534cfdc
1xxbot
6fae048e4ff41fdf6b3183d0a6f3fbe5b07d42544694c4b6ff5b76be292a1615
1xxbot
8a11790a57ada815e5fcb19b62fb18d2ae9f22a498f1a46b1677d3485b5c235c
1xxbot
9617dc1938ef945ab37282b04d7d083412485c144dd60c96d68f508da8a1a7c1
1xxbot
9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba
1xxbot
db8d3e1f805b2f6219f99004258e23b3dd379a2dcc76338e3fb368ad23112a3b
1xxbot
eaf272ccebdce006c18793bdbcd0b4729d6ac2eefa2ef900cee811d74d953825
1xxbot
f1a10725589836a8b8959f7ceb298f84b1e5a9736fe97f32a816028aaff55001
1xxbot
f4221efa93b3ce5d8c92ba911661c246111653dd178bc239349cdfde8b39f7f0
1xxbot
f8d6f282de8b50d4d9e6fc17f53b0b33cecb4f4fb01f956cca3ba622b4b452aa
1xxbot
+ 554 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/201109-avcdqa5kls/
Behaviour
Runs .reg file with regedit
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Executes dropped EXE
ServiceHost packer
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

1xxbot

Executable exe 0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/323662/
  
Delivery method
Distributed via web download

Comments