MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926
SHA3-384 hash: 09b39b34b78d0b15d0e399e4fdec1d3e8a92b52b163d444f45c68d93b0cb52550f8c382606d595aaf22fc590347c1fb0
SHA1 hash: d3c617354b18f4bc6afa0243aea4358a35292047
MD5 hash: 80835f358fc78c40ef601c0c04aa1ef7
humanhash: network-spring-london-gee
File name:80835f358fc78c40ef601c0c04aa1ef7
Download: download sample
File size:2'051'240 bytes
First seen:2023-01-28 02:09:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:8oypzJb6s6Zj7SYNIGjcjUE1HEaZZLJTpEm3E:8jzoPF7SG
TLSH T11595F31AB6015F3FCDD54872A51548846A232AE8C28F234EA4D6517B1ECE71FEFBC16C
TrID 36.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
19.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.4% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.9% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
80835f358fc78c40ef601c0c04aa1ef7
Verdict:
No threats detected
Analysis date:
2023-01-28 02:11:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/43ae94ff-ccfd-47b2-8e59-ffb403b19507

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357658/
Detection(s):
Win.Packed.Ratx-9753188-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm confuserex overlay packed stealer warp
Link:
https://www.filescan.io/uploads/63d483fc905a5ac3b90900f6/reports/edac8082-4fc9-4ee6-b6fd-a20c182069e6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/15456cdb-3e02-40a3-b157-ba902e958ca5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1160661
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-27 07:24:49 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eeoqjoyp4hwrsrxbpuqkmin6cgxjbpzhxmryfqfxvyrgp3y63eta._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230128-clpv8afc2v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
05767723167a03353af8394008cce03b164546c2f4d2cc11ba1d6b1a4a7ee9a0
MD5 hash:
2a3f0dbf9f8c12958f9e6f664e8aa9bd
SHA1 hash:
5fc44cdd420763cb02fb606c793d3a55f3690551
Link:
https://www.unpac.me/results/5a8b2cd2-5756-4a21-9d0a-9fc6752dcccc/
SH256 hash:
211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926
MD5 hash:
80835f358fc78c40ef601c0c04aa1ef7
SHA1 hash:
d3c617354b18f4bc6afa0243aea4358a35292047
Link:
https://www.unpac.me/results/5a8b2cd2-5756-4a21-9d0a-9fc6752dcccc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 211d04bb0fe1ed1946e17d20a621be11ae90bf27bb2382c0b7ae2267ef1ed926

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357658/
  
URLhaus
https://urlhaus.abuse.ch/url/2520392/

Comments


Avatar
zbet commented on 2023-01-28 02:09:44 UTC

url : hxxp://62.204.41.88/lend/build_230126_220953.exe