MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f
SHA3-384 hash: 2e41ebed6cff8e7b1b1daba7734f153ca8d1690279d622cbe1378e1b62501b8fa9dcecce5ff667d021057ca0753d07ea
SHA1 hash: 703061ade66bbd6a82ecdc0109787e6219e5f475
MD5 hash: d9b8fa6f3fc0ab223862534a09f4e7e5
humanhash: hot-oklahoma-east-bluebird
File name:d9b8fa6f3fc0ab223862534a09f4e7e5.exe
Download: download sample
File size:128'512 bytes
First seen:2021-10-13 17:37:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:f3ZNi3GlgG4TWCGvP9Ohi8qKTcMMpO+bLyU:f3VlglWCGsAeQDb
Threatray 147 similar samples on MalwareBazaar
TLSH T1D6C3F52EB7845B16D84819F8D5EB942417E3EAC32773D6853E4862DA0E413A4CDCFBC9
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d9b8fa6f3fc0ab223862534a09f4e7e5.exe
Verdict:
Malicious activity
Analysis date:
2021-10-13 19:50:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa4d2ac0-d81c-471e-8fc8-7e0aed5f5fa3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197328/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.24926.5300.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Launching a service
DNS request
Connection attempt
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6167197c9fb4d8593d63dd8f/reports/3d47a604-8954-4333-b533-8c2d8387427d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/13753a46-19da-44c8-9d81-2116712be12f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/869884
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f/
Verdict:
unknown
Similar samples:
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
6339a14fb049a069fed24b0a9827ab82710426e174139d172a6536bfb1519402
69c3aa9651a8fbff9bb671965c487748da86334da51a2136b2d8cd23716c5177
afd21ef5712ffcbe4e338a5eb347f742d3c786f985ba003434568146adedb290
b9c0b6dd76212644b551d5b8ea745b3f14f6c92365e767836382a4c8ea54906b
d0b4b43432238e361c9f553caa05df5c34c462d55bb18a6db5e076faaaf05da9
+ 137 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211013-v7p28aegd8/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f
MD5 hash:
d9b8fa6f3fc0ab223862534a09f4e7e5
SHA1 hash:
703061ade66bbd6a82ecdc0109787e6219e5f475
Link:
https://www.unpac.me/results/262830b7-c796-48aa-952f-f8bd9a4cdcab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.53
Link:
https://yomi.yoroi.company/submissions/203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 203cdec559936bf85ac018ed1e6816ac09d9aff81b1158ede2644a502281a98f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1657096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197328/

Comments