MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
SHA3-384 hash: e694663117d94b87bb795cec0993c22518fd054835f08eb24de79675f74d0606f417029b6f50200267b96e54588291a3
SHA1 hash: 5b31708982e1b7a4809860bfca27c87d8cce7096
MD5 hash: 48a0efb20b34146d249e1d2ec6e4b635
humanhash: november-north-hamper-maine
File name:48a0efb20b34146d249e1d2ec6e4b635
Download: download sample
File size:1'538'048 bytes
First seen:2023-08-20 07:27:26 UTC
Last seen:2023-08-20 09:35:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:N+foijJDPnvcpzN3F5shvWuAJoaaDOrIP6cjn2RVXYDXmadbDjf92J2MzvgdfR2j:NyoijJDPnvcpzN3F5shvWuAJoaaDOrI3
Threatray 22 similar samples on MalwareBazaar
TLSH T17E6509E1BE8B0F80F7D1653040969990DEF1DCE7337AE29F6A0905883501E99CD9BDB9
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a0b0f0f0b3b2e2e4
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
266
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
48a0efb20b34146d249e1d2ec6e4b635
Verdict:
Suspicious activity
Analysis date:
2023-08-20 07:30:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17bc2c15-a4fb-4ba3-9ac5-d525d360b8f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443737/
Detection(s):
SecuriteInfo.com.Win32.BotX-gen.11765.2953.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Launching a process
Creating a window
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64e1c084ac089eb8123e89e9/reports/5f065a78-9264-486d-a35b-95e6da5c61b0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f805fe45-e5fd-430d-b96a-c74b29ec268e
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1293993
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1293993 Sample: 9h4dTYyuZq.exe Startdate: 20/08/2023 Architecture: WINDOWS Score: 84 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Clipboard Hijacker 2->29 31 Yara detected AntiVM3 2->31 33 Machine Learning detection for sample 2->33 6 Jeepdriveroads.exe 2 2->6         started        9 9h4dTYyuZq.exe 5 2->9         started        12 jsc.exe 2 2->12         started        14 jsc.exe 1 2->14         started        process3 file4 37 Multi AV Scanner detection for dropped file 6->37 39 Machine Learning detection for dropped file 6->39 16 jsc.exe 2 6->16         started        25 C:\Users\user\Videos\Jeepdriveroads.exe, PE32 9->25 dropped 18 jsc.exe 1 2 9->18         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        signatures5 process6 signatures7 35 Creates an autostart registry key pointing to binary in C:\Windows 18->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2023-08-19 06:14:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
27
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzyx6ii7imapf7qfetgtkvin4fdx4owzhkxxczvgs3gtqx3lw3da._file
Verdict:
malicious
Similar samples:
2d3677816bdf79a83288fae8cecfdc95691d36a931a8cd66646d6391f3faddb8
35a289dffa420556d0ae105d13b138fae7207dee808971fef93f642556b16e6c
35bec8209ce812572a8ca75f137e8c2b6c1271fea7c96a72a4e08087b640fa0c
4e8575081ab4e714f413c5cbe83141127d397da4df656fe28f2a1c42356dbb65
7e44724101abeaace0c8ab6e16471862f8fed840e9f70cfb62d56bddd39bdbbc
8f61fb247d39dfb97f59db9374ac43793fa6432057a6e1d76aa06a22ea9f3ca8
9785eec1ff877367352742e441815f7f7372615e463e3a5862fa7881eb2e7081
cc081c42b4c7b8d373aa4cc662d59112338a3cfbb22218f481ec248a7d1df437
d1aab5929869cfe69e83022529492d8c60f749c4e2c33af45da5adee88435cdd
e30fb0167cff4b0cc4cbc651e4c833459e94a603b8b9a33d449986ca641f7ce8
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230820-janmcadg45/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
bd0fcb4c298822bef4e8864dc7fbb48d222320a29e0e4776d77d21d2c057cf8d
MD5 hash:
b97cc70f842cadea1d425d59a9d0bbc2
SHA1 hash:
ca154c12331e147ad0e0c6aa238ea46c28cce31c
Link:
https://www.unpac.me/results/25729f3c-947c-4be6-8818-5327a979d285/
SH256 hash:
bfa12a2456d40d6c32a1f4e35bd43c81f6f67466234faed8fec19397d0e6d808
MD5 hash:
7a7927bac28be846b2fd2a5d10ba0676
SHA1 hash:
67a7b8616fc8e7aa7bb7a6e2521548e67a7caa2d
Link:
https://www.unpac.me/results/25729f3c-947c-4be6-8818-5327a979d285/
Parent samples :
fb110b1db7c02725d6cb0953cf153a2b5e158d358db136aece90ac06d79cb07d
80dd6d009a2b7ab7aa393d063048320db5ea3920a4fd9cca4a0a76f12183273f
SH256 hash:
1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6
MD5 hash:
48a0efb20b34146d249e1d2ec6e4b635
SHA1 hash:
5b31708982e1b7a4809860bfca27c87d8cce7096
Link:
https://www.unpac.me/results/25729f3c-947c-4be6-8818-5327a979d285/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e717f211f43/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICOUS_EXE_UNC_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables with considerable number of regexes often observed in infostealers
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1e717f211f4300f2fe0524cd35550de1477e3ad93aaf7166a696cd385f6bb6c6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2705622/
Cape
Cape
https://www.capesandbox.com/analysis/443737/

Comments


Avatar
zbet commented on 2023-08-20 07:27:27 UTC

url : hxxp://industrias-lopez.com/2/data64_2.exe