MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0
SHA3-384 hash: 14a3e2535f0c034466dd04ee009d16095d2b1f2322614c1a341da8c999fd1b49e2933c3df0f3b128f45b729dec8d6366
SHA1 hash: be3310168cce7b5e1f941de0b217b8beebd46555
MD5 hash: a76aa8e16e4ba0db945e6df0d8e945ee
humanhash: uranus-king-pip-hotel
File name:a76aa8e16e4ba0db945e6df0d8e945ee.exe
Download: download sample
File size:604'160 bytes
First seen:2023-07-16 07:44:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Wv96xiNIpLhxjz9trg7XuGul7CoLPUHxSqG16OHxcb:WIcNIrxP3g7XuGu/bUR+1B
Threatray 431 similar samples on MalwareBazaar
TLSH T140D423A303851D19E5B42AFB48451ECDA7A023D47A90066FF8F1526F9B3785D22B3DF8
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
a76aa8e16e4ba0db945e6df0d8e945ee.exe
Verdict:
Malicious activity
Analysis date:
2023-07-16 08:22:24 UTC
Tags:
trojan rat asyncrat remote
Link:
https://app.any.run/tasks/752fa122-f4ee-41e9-83e5-be7ab9011b7c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/421003/
Detection(s):
SecuriteInfo.com.Variant.Marsilia.26642.27181.26490.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Сreating synchronization primitives
Launching a service
Launching a process
Searching for the window
Searching for synchronization primitives
Creating a window
Creating a file
Modifying a system executable file
Sending a custom TCP request
Changing a file
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
comodo lokibot packed warzone
Link:
https://www.filescan.io/uploads/64b39ffefd9e198dc1148993/reports/b7688cb7-603f-461b-a742-d9c1cb74a396/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/49ead687-0ebf-41db-8b76-118653f04f6a
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1273821
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1273821 Sample: QtFaiTyjW0.exe Startdate: 16/07/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Antivirus detection for URL or domain 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 6 other signatures 2->45 7 QtFaiTyjW0.exe 1 2->7         started        11 QtFaiTyjW0.exe 2->11         started        13 QtFaiTyjW0.exe 2->13         started        process3 file4 25 C:\Users\user\AppData\...\QtFaiTyjW0.exe.log, ASCII 7->25 dropped 47 Writes to foreign memory regions 7->47 49 Allocates memory in foreign processes 7->49 51 Injects a PE file into a foreign processes 7->51 15 AppLaunch.exe 2 7->15         started        19 powershell.exe 1 12 7->19         started        21 explorer.exe 2 134 7->21         started        signatures5 process6 dnsIp7 27 171.22.30.13, 1276, 49710 CMCSUS Germany 15->27 29 192.168.2.1 unknown unknown 15->29 31 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 15->31 33 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 15->33 35 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->35 37 2 other signatures 15->37 23 conhost.exe 19->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0/
Threat name:
ByteCode-MSIL.Trojan.Marsilia
Create hunting rule
Status:
Malicious
First seen:
2023-07-12 07:26:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cmorjanqdtdrr54uasdyxomcei34lridztjb3gbzefgg6xmnktqa._file
Verdict:
malicious
Similar samples:
13993a109f4064a70ae87d660099352109c6115065444c46e5cb4854496ce6da
2823dd4656b8073526d5a4db5dcd8f26877ddef0a51a11600bb7d9895c2e3c95
2be67875d74b25549ca09afc6872f34c79616e6f2c6eb0bf767ab09482b7b215
4c55fac9553b35c5e6e1079851747eb0166a6b370a81cdb835f4bdc285a78e0d
535963abdc42887378988042fcea77dd9aec415c3fd45e91a8447a81dcc0957a
6023d2e3d6ae4901fe997e9133c488dfbd50736e47034a6ee45d4c5952f26ee4
8f4ccb41b24de4d077f55f9f33455424bafa4f7546bc4f55efb77c94f9877170
b047ff5bff676893d2336d78b8e57b603ac85977529308f0992adf0eccc3924f
cbe8c12a97e6afdce354524b36314c07ab3345dd2776a7f8f070733270cf4cff
e0583659365eff03e89f2dd70e07f95593aa3e82bf2a528af30c02c787f2fc74
+ 421 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230716-jlehtaeb2y/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
d2f47dabf0395df98efcace28e9b06f67e19f14cedb271389f970a50a3124c94
MD5 hash:
c3e2940c08af0f1e51ed369767d6d6b0
SHA1 hash:
e9d6c3150b05069bf51932e3f6b7d2a89b50e699
Link:
https://www.unpac.me/results/2fbe6e90-6c76-41c0-8fdf-3f39a62b203d/
SH256 hash:
33186b03d4802db65ccc7e6aa014672b4a14abedb751cb0d1a3b6bc8259f5403
MD5 hash:
e07d509565dc2873315f5d8dbf4f5160
SHA1 hash:
9c5972c4f569a4926a58bca1ff53550bb05ca30d
Link:
https://www.unpac.me/results/2fbe6e90-6c76-41c0-8fdf-3f39a62b203d/
SH256 hash:
131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0
MD5 hash:
a76aa8e16e4ba0db945e6df0d8e945ee
SHA1 hash:
be3310168cce7b5e1f941de0b217b8beebd46555
Link:
https://www.unpac.me/results/2fbe6e90-6c76-41c0-8fdf-3f39a62b203d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/131d1481b01c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/131d1481b01cc718f79404878bb9822237c5c503ccd21d9839214c6f5d8d54e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/421003/

Comments