MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291
SHA3-384 hash: 69b920fe1920a7a9b1f7b86f80ab5767074724c282812f493a003fb8939a224fc601f3336df31c1008ae7cd85e212c27
SHA1 hash: 1a49160f03443726abd52c286e71d976bad11ef2
MD5 hash: b370930bd12303cee5be98a78886311a
humanhash: spring-nebraska-bluebird-moon
File name:b370930bd12303cee5be98a78886311a.exe
Download: download sample
File size:155'136 bytes
First seen:2021-02-10 11:36:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 3072:AFjlC0WzP7qsLmMtTazGrBfIdLVL3+vheqajptoNIoJ2Ey9zxo:pT/aKwdLVKefoSoJZ+
Threatray 9 similar samples on MalwareBazaar
TLSH 22E3CF0132B88B56E0BD5BF4447265900373766BAC32E76D9EC971EE28A7B405361F2F
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1c742ae4b7d10e026755e3fe5093d46.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 07:50:40 UTC
Tags:
trojan rat azorult stealer vidar loader remcos
Link:
https://app.any.run/tasks/4dd13993-37d2-4d8d-84c6-c5afe5d575c4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116492/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.61478.23936.3809.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/604353
Signature
.NET source code contains potential unpacker
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351206 Sample: Oakz41Co5o.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 64 39 Multi AV Scanner detection for submitted file 2->39 41 .NET source code contains potential unpacker 2->41 43 Machine Learning detection for sample 2->43 45 Disables Windows Defender (via service or powershell) 2->45 8 Oakz41Co5o.exe 3 2->8         started        process3 file4 37 C:\Users\user\AppData\...\Oakz41Co5o.exe.log, ASCII 8->37 dropped 47 Injects a PE file into a foreign processes 8->47 12 Oakz41Co5o.exe 1 1 8->12         started        signatures5 process6 signatures7 49 Disables Windows Defender (via service or powershell) 12->49 15 powershell.exe 23 12->15         started        17 powershell.exe 12 12->17         started        19 powershell.exe 12 12->19         started        21 5 other processes 12->21 process8 process9 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 conhost.exe 21->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 13:35:24 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0e4faaad6a44f55e0e23118c169e33ae95b2e8b2950207b939e561497f00d0f1
16e587a78c6af7a68db2eee80ac40ccec784aeb261cfa7bab04c54608dc96324
780316d5248b75354fd95a49441813a7f59e7fe1126fd337bc378fcad603fab0
91b422ee25b307df923fa0c14996c0b3748c953a9238041b45e671a9cbac0cf3
9d428688140447ecfeaac7ef6d45015ad0e475b042fd1841646232fd954bc55e
d2c1530870532abdf2123652c9f97dc9de79dc8aabbb8cfd185b1011d6cdbb01
d6a5d01edf06c2812aec143d767d5ed3a18ca7386a7470f9e7c8d08e49b0c366
edd8c8e1ee94c8aa8500999cf2d7f20801464d07d51ef3401ba1a1af0cc8fbae
ff22d13021f2bd9af9ec6f70782562460c5ea710e1fbbaa50ba997294c506a7e
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210210-vf56rc5dtx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
b28863542c7ad1e9ee507d95a75a2587d1ef8622eb358a8e8b712cfa95323a9c
MD5 hash:
8dbd2b7a7511b231220c586c9726098c
SHA1 hash:
870794b14268f6486a0f63f3f9533b5ed7d26091
Link:
https://www.unpac.me/results/8b0c1b8c-a0d6-4e15-a94e-acc437c49d80/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/8b0c1b8c-a0d6-4e15-a94e-acc437c49d80/
SH256 hash:
2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788
MD5 hash:
987ce346069cf47535e5ac57265c7228
SHA1 hash:
d0085325ed78fcac6d1f605753237abd1c40db22
Link:
https://www.unpac.me/results/8b0c1b8c-a0d6-4e15-a94e-acc437c49d80/
SH256 hash:
1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291
MD5 hash:
b370930bd12303cee5be98a78886311a
SHA1 hash:
1a49160f03443726abd52c286e71d976bad11ef2
Link:
https://www.unpac.me/results/8b0c1b8c-a0d6-4e15-a94e-acc437c49d80/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1310783f97ec7e93d03fc411223ddb69e97e32e5d5445e96341bab5498783291

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948785/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/998434/
Cape
Cape
https://www.capesandbox.com/analysis/116492/

Comments