MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd
SHA3-384 hash: bdd6ec55c31e07e0c8bbb607117f2af93560f3083daa23ec8285f48cc325f9fceb6543bfebd98ae9576c9ac743ac0d11
SHA1 hash: 3ffcf61a3802bfb138e3b2090fa382e7c2e9b0b6
MD5 hash: 900bf557b369be9a6d8ecf4eab8eb7b7
humanhash: summer-thirteen-jersey-alaska
File name:900bf557b369be9a6d8ecf4eab8eb7b7
Download: download sample
File size:59'392 bytes
First seen:2022-03-09 20:41:14 UTC
Last seen:2022-03-09 22:50:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 1536:g1wWBnlJYqw/uVo/Nygw+2yQwGV1yG2sv9y33+86ODc7:WwWBlJYqw/uVobw+29yx/zc7
Threatray 3 similar samples on MalwareBazaar
TLSH T1B8438DE0B187507CD9DAC6311AF9A3EC6BF5B8DAE587C54B4E72AD0311D62872B1031B
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248897/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.15923.13894.21067.UNOFFICIAL
Create hunting rule

MiscreantPunch.SingleXOR.EXE.191.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Сreating synchronization primitives
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm obfuscated obfuscated replace.exe
Link:
https://www.filescan.io/uploads/62291122b94fb38cb44ac9b0/reports/4e8edd7b-923e-4872-86f5-66573406585b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6987ebf9-997a-43ea-aee0-4745d7609870
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/953678
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd/
Threat name:
ByteCode-MSIL.Trojan.SpyEye
Create hunting rule
Status:
Malicious
First seen:
2022-03-09 12:07:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18147cdbc33f84363ae9250730d1c694ba290b53c1c827d5c4a9f0b5a71e2a3e
22ed8ba56c9a195d2f2b50133b9ba06e6cc0705fd3003cd76c2717547443f3d4
a3e066057917fd9c0774744ac02f05d3f8e993354249698db1ce599188dae123
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/220309-zg2esaeefr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Unpacked files
SH256 hash:
1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd
MD5 hash:
900bf557b369be9a6d8ecf4eab8eb7b7
SHA1 hash:
3ffcf61a3802bfb138e3b2090fa382e7c2e9b0b6
Link:
https://www.unpac.me/results/9216020e-c1a2-4907-b9bb-42b5b5493d64/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.63
Link:
https://yomi.yoroi.company/submissions/1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1ca0216d0d70df84f12b955ad54bc99c42b783320de730f7edb060aa4cf5e0cd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2086584/
Cape
Cape
https://www.capesandbox.com/analysis/248897/

Comments


Avatar
zbet commented on 2022-03-09 20:41:17 UTC

url : hxxp://file-coin-coin-10.com/files/7066_1646682141_3970.exe