MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ca0fa0599ad3337700cfe55be2f6d0462a7e4301f8ccfdd87167a66754e7e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ca0fa0599ad3337700cfe55be2f6d0462a7e4301f8ccfdd87167a66754e7e71
SHA3-384 hash: 458cb548161016850c9dd605c8549dff016f7f9afd2a5170a00dce9f42bead7dc01c29692fdbc0f8f7befbeb7e42463a
SHA1 hash: 60af38b1d1b1a84ff7d22b195b7ea06e15fa62c9
MD5 hash: b6a8bd9f29a479b0ce5b4d5a4a090949
humanhash: kitten-dakota-mockingbird-river
File name:b6a8bd9f29a479b0ce5b4d5a4a090949.exe
Download: download sample
File size:491'520 bytes
First seen:2020-07-08 07:03:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:18CILPnGuMGJcbhQDpcXxw6RYDgWLMm4snkWrOISoZOBSH/aCSDKBFlvZfRsbml7:12PVmhudLMJssHBCxSizvZfRIsY
Threatray 74 similar samples on MalwareBazaar
TLSH F7A41C221D548862FD481230D0D12B0B26279DEF3DD07A47B189BBE79F19E4C7BB4A9D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22908/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a window
Reading Telegram data
Reading critical registry keys
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ca0fa0599ad3337700cfe55be2f6d0462a7e4301f8ccfdd87167a66754e7e71/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 07:05:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14fe0fa7e16253e53ce4c25616e08006ad09330bea8df9161a47b2815cd83067
24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e
2cba7569fc0d1b991734fdc617a03fe425edeff12546d81702254404b0bf33ab
38ee6bea62658ae4fa75914261a5848a8db5b332ddfb52daf01e958871559e15
a415be3007323e2f44f88d02d2a7c5225ae795235d57aba13fa5057ff6acab61
bc73cd93e40c3f14501d016a393f95d4a481a5a7d2fbbf99a6dc5e2b88156885
df54c4cf12eb9ff00568d4936f2c55a3193f6726b1a7f59c78a88a6f06488dbd
e5093e304a50d34cdf67ee8e49713c6131d6740e664ea49d9c98682336e3141a
e987d7cfccfc0718988a08971314cc56c07be7ff1985dd64d70165c7850b4b66
eedbb575580c9efc8e2a065c6713d388094d08b54d7d4e383ff7ee9446646241
+ 64 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/200708-pv29d6bs8n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks for installed software on the system
Checks for installed software on the system
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1ca0fa0599ad3337700cfe55be2f6d0462a7e4301f8ccfdd87167a66754e7e71

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/407605/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22908/

Comments