MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
SHA3-384 hash: 7efc3d4df820ebc18c8bc0deaf0c7f6b65c48c85570739bb1563542ab06f275fd410378d6213fa4f9b831d17524a9482
SHA1 hash: b8eb83112b57ec770e45c1f1bdfd9e0eefba9e3e
MD5 hash: 14272291438efac58308397d8a016459
humanhash: king-enemy-mirror-skylark
File name:14272291438efac58308397d8a016459
Download: download sample
File size:464'896 bytes
First seen:2022-03-09 20:01:52 UTC
Last seen:2022-03-09 21:51:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:7bB5bUnsIAKQNFgdrMDQVBBsensVcjWpa1LjAI9wroOUaGeKNkWaE1uH9+kH24QA:RG5MKdrMMVB6xVc6pS8YaGebEX0p3d
Threatray 679 similar samples on MalwareBazaar
TLSH T134A423292B116381D8B3E37AB4A2B7C94B36D53266AF03F9B04D169DBF115274731C72
File icon (PE):PE icon
dhash icon 3856562b99d0288c
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248862/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.39491.22379.19886.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/622907c0dfdfa8501c8214ae/reports/3618fcc5-385c-44b0-bfc3-8f9ab3e4e8db/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39005813-e14e-41df-ba76-9b2685adaf7a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/953640
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Schedule system process
Sigma detected: Suspicious Add Scheduled Command Pattern
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 586117 Sample: KzmyvleGGX Startdate: 09/03/2022 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Sigma detected: Schedule system process 2->49 51 8 other signatures 2->51 7 KzmyvleGGX.exe 2 4 2->7         started        12 KzmyvleGGX.exe 1 2->12         started        14 powershell.exe 17 2->14         started        16 KzmyvleGGX.exe 1 2->16         started        process3 dnsIp4 43 178.20.40.235, 2121 ASN-FRWInternetServiceProviderIT Russian Federation 7->43 41 C:\Users\user\AppData\...\KzmyvleGGX.exe, PE32+ 7->41 dropped 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->57 59 Encrypted powershell cmdline option found 7->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 7->61 18 powershell.exe 17 7->18         started        21 schtasks.exe 1 7->21         started        63 Antivirus detection for dropped file 12->63 65 Multi AV Scanner detection for dropped file 12->65 67 Machine Learning detection for dropped file 12->67 23 powershell.exe 13 12->23         started        25 powershell.exe 14->25         started        27 conhost.exe 14->27         started        29 powershell.exe 16->29         started        file5 signatures6 process7 signatures8 53 Encrypted powershell cmdline option found 18->53 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 29->39         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-04 16:24:35 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ee1085fefee69e978fd79adf288a62b15c04e5f551fd6e7abde34daf1913ca1
1c4b300d1e06cc44916b721f7fb9ab566e463b1ccf318cdcf1ef8e28b33647b3
42287ac393c08dcdae7b2ee2c75dcce8cf0739dc5e8eff36e6da0eefc2388382
4c0f83c722bdcb38b3d53a1cebc80b777ee6e02742e27a384ac39d7e51f4e7dd
5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad
685628e7be549b38ec2935bcb4faadeb04001a0b5b5e70b181e03af263efa4bd
8592d578f269100d67bf1faa464e23de7bf0c1266bad19d2bf6bcce0501158a3
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0
+ 669 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220309-yr5drabfd7/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
MD5 hash:
14272291438efac58308397d8a016459
SHA1 hash:
b8eb83112b57ec770e45c1f1bdfd9e0eefba9e3e
Link:
https://www.unpac.me/results/72fa6273-6273-4fc1-ae38-15b5de70408b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0e22f42c7121/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2086575/
Cape
Cape
https://www.capesandbox.com/analysis/248862/

Comments


Avatar
zbet commented on 2022-03-09 20:01:53 UTC

url : hxxp://file-coin-coin-10.com/files/6179_1646406710_533.exe