MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SamoRAT


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e
SHA3-384 hash: d102421ba5d36f9bc14f5e0db9bda8e35ef656bf1a91a3b2b70621bc6b82b34978122804a03f48e173094ff82d22e649
SHA1 hash: e14304e60e56483b20776b7b49952e1fa47f0944
MD5 hash: c3b9975b7840866bd3a00265804ca5a7
humanhash: alaska-william-west-five
File name:21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e
Download: download sample
Signature SamoRAT
Create hunting rule
File size:211'456 bytes
First seen:2020-07-09 11:13:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:D8TX13LAtj5V0Lac3apkY7KPQC2nuS89slhBytaI1r0X3YfL:QXV0tj5ymcKpklpilhByt5GXw
Threatray 29 similar samples on MalwareBazaar
TLSH 1324F12839EB505DF3B7DFB16FD8B8FE895AE633250A35BA119203064B12E40DD52739
Reporter JAMESWT_WT
Tags:SamoRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23688/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Enabling autorun with Startup directory
Sending an HTTP POST request to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 10:06:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=eg66qfrilpnmq4a6afb4dlsh6h564a6jbmwlholuk5abihhh2upa._file
Verdict:
unknown
Similar samples:
22f372a62b10bd40e04174512b0251bb0a2f49d243cb45dad8c91c21557ed301
SamoRAT
25d5292a98310d54fee67972b0e8d736fcef644c5225782de4cf0c48645ae1e9
SamoRAT
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
SamoRAT
55b8b84b624767c78a3ba733e577c4bdcd41fe9efa691725376a74077314e436
SamoRAT
571ec740451764b370c61813124b876d6bf8f0c2add56e57e7e8c00f494bc46e
SamoRAT
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
SamoRAT
939b2ae76b674d4fde311eb4374a5f0eaaf3d154a038fdd5febb84bec0734a77
SamoRAT
d6f32bc31225c5fa535140e98990618b7f0a597f8788ef5cd61b513eea4f6aca
SamoRAT
f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea
SamoRAT
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SamoRAT
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200709-g5teqhm392/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies service
Looks up external IP address via web service
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://business.xunison.com/analysis-of-samorat/
Cape
Cape
https://www.capesandbox.com/analysis/23688/

Comments