MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2
SHA3-384 hash: aaac4cb038b1957fa3feb04d9d455b1e18f670ff93756684a6b7881cc1b7da5b0feec27194170fc7e5583f0ec05632df
SHA1 hash: 4c1d8b66866e0b694c9bcb1d39f4091b5ffccdce
MD5 hash: 9ed84f25d10fcd7f0cf931129733ca81
humanhash: glucose-hawaii-monkey-winter
File name:9ed84f25d10fcd7f0cf931129733ca81
Download: download sample
File size:448'512 bytes
First seen:2022-07-31 15:07:13 UTC
Last seen:2022-07-31 16:03:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:YTCTXLl2h0EdA3730atFsXB9o2pZu/X1urOfyA1:Yufmo73Dtixq8SX1L
Threatray 259 similar samples on MalwareBazaar
TLSH T1D5940125F39A6FF8C7D80C3178A23871E59FEAE2AD71DA7027643EE54942B8008575F1
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon e2ba8ca68ece9e9a
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
339
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/295387/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.27847.30981.5459.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Creating a window
Searching for the window
Enabling autorun
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62e69b186fb6aea51f0ebc93/reports/9643152f-cd40-4b3f-b64a-a10354a4b4b3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/631e0dd9-df4c-4fa7-af62-1094f0a5bf57
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1043816
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-07-31 15:08:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=csbpd665zt3s5zax7ugkcdiu4exj7g3rw4pg2dr3p4x7ivf6idba._file
Verdict:
malicious
Similar samples:
11d6dbe5acd0b8db0a0b9bdb4ffeac6da2a896de2ef7e546fe104c9520e0f88e
245db4f7a5c9b2ab4c50a3cdaa335ac740f05e84e0ebf9859325669fe23d3ffb
3f97bf9bdfc07c39df433605eda1cfdc6617e4142e8a49f182f547fa25243c62
506aa9e26a8962c561e5486356913ee40e53e5ea2434363e4b5827c126b0ce6c
7a62836c8967ef6d3c737f9aba146eb7ef5d08cacc564faaa2699efac7561b97
87491dc3e7e7bee41367da139e5110ca1a9b7bb1ea2c92dd20a8a96c8775fd98
c91e3f6a5e0b9dffb8ab95355c93ffa6110bd0104273e33f7da18f5f02a86075
db622b8d91a72f6ecd40d9659cd9a71a523c7e4b66e527b0106211dcbf428d9b
f234a3861371763fb293ba38d6a5cc82b0af13ce03ba676d3a229c9f30fbd85d
+ 249 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220731-shv6tshfbj/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
f22eda7a1901463c166783caa2a8a3fef3903fece861f863f0a2a0d6a7af9814
MD5 hash:
3bd4d1f0e7e1b05ca0293ec5ccd529e5
SHA1 hash:
9f3f7c287437b8ab06156ba95cfe785c7b43e03c
Link:
https://www.unpac.me/results/1b483be1-5285-4081-9f66-98555467d406/
SH256 hash:
1908cd8dc47782bf62469172b5acefdb890621625b37fdd57dc261ca6c158b92
MD5 hash:
5a4d0c01204121ffe3a4c373ec1ed964
SHA1 hash:
28ecf3bc037472b8c8a78acaafd2562087a206eb
Link:
https://www.unpac.me/results/1b483be1-5285-4081-9f66-98555467d406/
SH256 hash:
1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2
MD5 hash:
9ed84f25d10fcd7f0cf931129733ca81
SHA1 hash:
4c1d8b66866e0b694c9bcb1d39f4091b5ffccdce
Link:
https://www.unpac.me/results/1b483be1-5285-4081-9f66-98555467d406/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1482f1fbddccf72ee417fd0ca10d14e12e9f9b71b71e6d0e3b7f2ff454be40c2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2263274/
Cape
Cape
https://www.capesandbox.com/analysis/295387/

Comments


Avatar
zbet commented on 2022-07-31 15:07:16 UTC

url : hxxp://141.98.6.236/Cheat-Menu/Ofamxvd-Cheat-3.exe