MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AllcomeClipper


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82
SHA3-384 hash: 020043ab3a284be5099cd985af4715c70b4dfa5173e363c5bd2bddf60256c581b32e0ff95d72105d13ac5665f65ce426
SHA1 hash: 2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35
MD5 hash: 0cc25540c7ea712231dfaa165733b316
humanhash: cardinal-timing-nineteen-coffee
File name:0cc25540c7ea712231dfaa165733b316
Download: download sample
Signature AllcomeClipper
Create hunting rule
File size:532'352 bytes
First seen:2022-09-27 06:10:21 UTC
Last seen:2022-09-27 08:18:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+7Y8K9sEmAT2y/BAnHOZixIEjEmcEjElXs6Oj6EjE47AoKnWXyz2LRsYQG9e8NaN:H1+VC7b/lMh6QU9xTV
Threatray 1'740 similar samples on MalwareBazaar
TLSH T186B408E153E8F519CB7E737123166C64C36388C2D6CAE65F094881E977B7BE02AD148B
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon cc0431e02186e070 (1 x AllcomeClipper, 1 x LummaStealer)
Reporter zbetcheckin
Tags:32 AllcomeClipper exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19747c0216f88bf606eaf488f0153524c0b7f9039565f6a32fbff6eecca4962b
Verdict:
Malicious activity
Analysis date:
2022-09-27 04:51:42 UTC
Tags:
installer loader stealer
Link:
https://app.any.run/tasks/446ad019-b6a8-4c8e-b28d-90bea89248bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313822/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.19893.26311.30894.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
Query of malicious DNS domain
Sending a TCP request to an infection source
Sending an HTTP GET request to an infection source
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
83%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/633293f7665fcdb8807a2c86/reports/f924dd32-7c07-4540-b1d9-2a3619d77fcd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4fd8f28d-bc3a-4395-8d0f-0754c3f06507
Result
Threat name:
Allcome clipbanker, DarkTortilla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1078070
Signature
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Allcome clipbanker
Yara detected DarkTortilla Crypter
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 710624 Sample: ArA1zb4vYM.exe Startdate: 27/09/2022 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 4 other signatures 2->43 8 ArA1zb4vYM.exe 15 3 2->8         started        13 MoUSO.exe 14 3 2->13         started        process3 dnsIp4 33 www.google.com 142.250.185.228, 443, 49716, 49729 GOOGLEUS United States 8->33 31 C:\Users\user\AppData\...\ArA1zb4vYM.exe.log, ASCII 8->31 dropped 45 Performs DNS queries to domains with low reputation 8->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 8->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 15 ArA1zb4vYM.exe 20 8->15         started        19 ArA1zb4vYM.exe 8->19         started        51 Multi AV Scanner detection for dropped file 13->51 53 Machine Learning detection for dropped file 13->53 55 Injects a PE file into a foreign processes 13->55 21 MoUSO.exe 13->21         started        file5 signatures6 process7 dnsIp8 35 dba692117be7b6d3480fe5220fdd58b38bf.xyz 104.21.17.54, 443, 49723, 49724 CLOUDFLARENETUS United States 15->35 27 C:\Users\user\AppData\Local\cache\MoUSO.exe, PE32 15->27 dropped 29 C:\Users\user\...\MoUSO.exe:Zone.Identifier, ASCII 15->29 dropped 23 schtasks.exe 1 15->23         started        file9 process10 process11 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82/
Threat name:
Win32.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 16:22:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=czvpgqu3nwnid65vg6cjdeazaulfs3amjjcl4a3srjaiaaydtwba._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
24b0889aeba0fa92e2cfbd9f9a5ccf708bfabe6b1425a9f35ce59b012f14b4ab
AllcomeClipper
530ecf25ce9b2bf78dbf25f3718681760fd3cb55ec62ceeb79d323423ab6ac40
AllcomeClipper
b66f52015626800cdcdce8eaf8cf25e729202eff110a5c95479752c8f64dd566
AllcomeClipper
be4ed5a51f14038fe8da76e0acd84d1844788f27aa6ea6fc38a5d66b3b17637f
AllcomeClipper
d31cf84c72885dd1108abe0ad6a88776d4650ffc073556a334b8c4fba98376c0
AllcomeClipper
e226014240563c1bb381a65e2286163d01091ab0c41f6ec7d71d5a2178fabba4
AllcomeClipper
+ 1'730 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220927-gxlp6adgfn/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7cfb8a61-442b-4369-b387-ce5363a0c068
Unpacked files
SH256 hash:
166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82
MD5 hash:
0cc25540c7ea712231dfaa165733b316
SHA1 hash:
2c4398ac4c7e4ea2605a7f9cd96b8c15db743e35
Link:
https://www.unpac.me/results/38178978-eba3-49ba-b0eb-23f8d654fa63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AllcomeClipper

Executable exe 166af3429b6d9a81fbb537849190190516596c0c4a44be03728a408003039d82

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2314944/
Cape
Cape
https://www.capesandbox.com/analysis/313822/

Comments


Avatar
zbet commented on 2022-09-27 06:10:27 UTC

url : hxxp://wizecenter.com/js/avicap32.exe