MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17f2438a8bbd9ac5a40d6315ee68720395ff47a3a8c7d81175d9beff41476e18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17f2438a8bbd9ac5a40d6315ee68720395ff47a3a8c7d81175d9beff41476e18
SHA3-384 hash: 257017e6e5f553b388e710e8d7e2f81495a7d0b95599de1d7a980186382508df0bd946770526be3b379f1896b608805c
SHA1 hash: a75b50e3b60364babbf4b3d2de259fd9bf75dadc
MD5 hash: 0a483db7de2cdc770473ab94daf5062d
humanhash: finch-cola-cola-nitrogen
File name:SecuriteInfo.com.Win64.DropperX-gen.10198
Download: download sample
File size:12'800 bytes
First seen:2022-09-26 14:11:13 UTC
Last seen:2022-09-28 07:09:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:oml3UZ+YxoVjqqhvzS9iDA1DQp+AA7g+4OW4/4Ic6nGQrzXAY:o2E8YxoVRcYD8DC+k+IWLrzXA
Threatray 897 similar samples on MalwareBazaar
TLSH T1B7426D4AEFE54236EDD253B89C1793C82638E6606C13D34E788452AA7D0AF9C5F11F72
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 48d4f4f0f0f0d8c0 (37 x RedLineStealer, 18 x AgentTesla, 9 x SnakeKeylogger)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
220
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313614/
Detection(s):
SecuriteInfo.com.Win64.DropperX-gen.10198.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6331b33a5291e4a063ebf35c/reports/380e383a-c6f9-4962-bcd6-7df0476db3c3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9a39da5e-bde7-474f-88ac-9586ddc0f8cf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1077411
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17f2438a8bbd9ac5a40d6315ee68720395ff47a3a8c7d81175d9beff41476e18/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-09-26 07:14:57 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c7zehculxwnmljanmmk642dsaok76r5dvdd5qelv3g7p6qkhnyma._file
Verdict:
malicious
Similar samples:
3dd3078924cd154c4543f6e47ede6d36fd676a500dc76b1a44c3484417ae9cbf
51eaf57ae9fde2cb71b84897ddfd8d5c69bb0604dad100de6ce57f026f3cbada
56fd163108e6e2a9e2f7cfd15898f61d5b8d435ed839d1e29b70c040998eedcf
6657fc401ddcb3ffdbe0d45b7850f9a2bccef46d42469b825cd890557a351693
806a765203bdd0a1e4c715bf6022dce830d04ae041ef978b3b2890b158a7e180
8aa4295ba55d4375ddf998facfb0a7a95394cdae9c4eac0a0fbaccae4df717c6
94c64f12afd02a13f709021efe6a3676f92ee6ea68ea91b67e476ba603c0b79b
d1be2499de89be1f90b8fba3abbf20cfd30152c3ae10674152b2604ac86d76ac
f1049ccccc6b4f2323a440c38d0092ae7cf4c413de5e63962716021a5bbc1a0c
f15bf4c786172149ed0b9e57b08c695b01095b9167de714ea61768f021ae9ff0
+ 887 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220926-rhvpmacbhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e906a59b-9652-4d6d-b3a2-492a5c09385f
Unpacked files
SH256 hash:
17f2438a8bbd9ac5a40d6315ee68720395ff47a3a8c7d81175d9beff41476e18
MD5 hash:
0a483db7de2cdc770473ab94daf5062d
SHA1 hash:
a75b50e3b60364babbf4b3d2de259fd9bf75dadc
Link:
https://www.unpac.me/results/0a370252-b648-4df8-8a4b-3123252bed6a/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/17f2438a8bbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.57
Link:
https://yomi.yoroi.company/submissions/17f2438a8bbd9ac5a40d6315ee68720395ff47a3a8c7d81175d9beff41476e18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313614/

Comments