MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
SHA3-384 hash:	90478bdf51ce42536110d78d2c587714c6b956bd3f23964eb5e1d51774e25299adebcab706b0e7a937063f5a5a0a24ba
SHA1 hash:	c7db6bbaec3dd6c44ea291185a186489b74d7ef7
MD5 hash:	1c1bdd57483bbfbb497b4596be12b053
humanhash:	blossom-minnesota-sad-white
File name:	1c1bdd57483bbfbb497b4596be12b053.exe
Download:	download sample
File size:	3'485'696 bytes
First seen:	2021-01-05 09:17:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	98304:w1oluFwZls+JDRmvEYCrSEebiRi0LrU3By8HnYeCP:w1ocFwZls+JD4vlC6L8r2By8HYe
Threatray	119 similar samples on MalwareBazaar
TLSH	8FF5125233F19013F9970269642876CD297C7183B7D9F15BAB372AE09304ABAF3E8D51
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1c1bdd57483bbfbb497b4596be12b053.exe

Verdict:

Malicious activity

Analysis date:

2021-01-05 09:25:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e848051d-4149-4d6e-854b-907d2c6fa04b

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/110543/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/574012

Signature

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483/

Threat name:

ByteCode-MSIL.Packed.Generic

Status:

Suspicious

First seen:

2021-01-05 09:16:31 UTC

AV detection:

9 of 46 (19.57%)

Threat level:

1/5

Verdict:

malicious

243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074

3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab

3f5f718eea347bd327c4e7b525d0fc1ce91d54d4b1e4da1e78e18a35f19756e3

446a57da424b148321083f32681f6394b8a8bf8cfe750054697922c091f30624

7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340

80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0

8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa

98048b38fb423438e56d7fc759d38add5cd5f4d552e0688d9977461c07963aa7

abd3a1a0ccfcc5e723e8b022e2dc025c617b94da33136673be439819a5160d6e

+ 109 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210105-te3kgejtte/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483

MD5 hash:

1c1bdd57483bbfbb497b4596be12b053

SHA1 hash:

c7db6bbaec3dd6c44ea291185a186489b74d7ef7

Link:

https://www.unpac.me/results/a5c982be-e878-4d35-8737-3b8c74833d91/

SH256 hash:

64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86

MD5 hash:

88c0ec8398978fa2e4240f02765086ad

SHA1 hash:

5a5c4935b2d70e890c89ad9332365f4f4aa86f3c

Link:

https://www.unpac.me/results/a5c982be-e878-4d35-8737-3b8c74833d91/

SH256 hash:

1f52f19332f3d16ae1156ad7418bad2231d0de8a1576e924871857f281dc9525

MD5 hash:

da809ea2c675ef4459aa0938ea2bedc1

SHA1 hash:

c99cbbd268f9bcf2c04af0a2368c7bda9f16699f

Link:

https://www.unpac.me/results/a5c982be-e878-4d35-8737-3b8c74833d91/

SH256 hash:

64caddc2b7d99f3f6b2c8c535a074ec2c507df84971e225d1cba2bb3e1af1974

MD5 hash:

19525c2b43c4c73ed3777bfa8953b1dc

SHA1 hash:

d9a3bd0f34d56f5cf35caf053d9b922258ad09f6

Link:

https://www.unpac.me/results/a5c982be-e878-4d35-8737-3b8c74833d91/

SH256 hash:

152ec035d1b3f6a661bc5f6c2a931a90b3afc7241b1017d9b2f89022467fc340

MD5 hash:

da08e61fd8f5c324465f6b07ca3d1e93

SHA1 hash:

f1c2aa23927b9449e3ccc89e3c13bc6db788c70f

Link:

https://www.unpac.me/results/a5c982be-e878-4d35-8737-3b8c74833d91/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Email_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Email in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483

(this sample)

Cape

https://www.capesandbox.com/analysis/110543/

URLhaus

https://urlhaus.abuse.ch/url/949324/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample