MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a
SHA3-384 hash:	0bd95500131eabb4799e4dcb5bb2a6953ca189a197a7c2591c33bece0cf8434f3757e5d795e09ecafb041b37dc73e8ff
SHA1 hash:	918421b805e782ab1d7a19121043f82eaf959c98
MD5 hash:	dd81531815ffbc70ec2be9e7213a4e5c
humanhash:	six-nitrogen-hawaii-uncle
File name:	dd81531815ffbc70ec2be9e7213a4e5c.exe
Download:	download sample
File size:	1'499'772 bytes
First seen:	2020-12-18 16:57:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep	24576:pRmJkcoQricOIQxiZY1iaC1p1Zk3bGfAL0fUeAFkU1rqsWuw6No2:mJZoQrbTFZY1iaC1p1Zk3bGIu1AuU1r5
Threatray	213 similar samples on MalwareBazaar
TLSH	F365F112F5D680B6C1A327B19D7EF7A69B3969361336C19737C43E251EB0081673AB23
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

166

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dd81531815ffbc70ec2be9e7213a4e5c.exe

Verdict:

Malicious activity

Analysis date:

2020-12-18 17:04:46 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/c5d569b0-68d3-4d6a-8911-67c22816727a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108465/

Detection(s):

Win.Dropper.Autoit-6574647-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

DNS request

Creating a file in the %temp% directory

Creating a file

Running batch commands

Creating a process with a hidden window

Deleting a recently created file

Creating a process from a recently created file

Replacing files

Sending a UDP request

Enabling the 'hidden' option for recently created files

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Creating a file in the mass storage device

Enabling threat expansion on mass storage devices by creating a special LNK file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/566528

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a/

Threat name:

Win32.Trojan.Scrarev

Status:

Malicious

First seen:

2020-12-13 22:59:00 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Verdict:

malicious

647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030

aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7

b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30

ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d

faa47da24f0494f637c0264a6d1d53f033a693c5bce624b8e9d4c525dd0e2e9f

fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9

fe93d4797dcffea0d8a5bd8dae89f6012fe45fd730e640e18a264d42fa17945e

+ 203 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence

Link:

https://tria.ge/reports/201218-7xw4gtysca/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Adds Run key to start application

Enumerates connected drives

Loads dropped DLL

Executes dropped EXE

Unpacked files

SH256 hash:

194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a

MD5 hash:

dd81531815ffbc70ec2be9e7213a4e5c

SHA1 hash:

918421b805e782ab1d7a19121043f82eaf959c98

Link:

https://www.unpac.me/results/98413e11-74bd-49b7-a29b-ccc4eba4ed56/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Zbot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/194739d84e81db630a2a5c890dd560d088d829959239829efc86221640a8d99a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/108465/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample