MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 7 File information Comments

SHA256 hash:	24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705
SHA3-384 hash:	4170d58bea06e8f820f86ef0f25b9a0093be79ec3af373f41618389ab67924c8511afe81e511977c7f2447e2d8be5dbf
SHA1 hash:	ba92c7d3c5ecf4b040aebc6be98212519e4ca76f
MD5 hash:	4d705556306e3300178e14b7b48b8c33
humanhash:	april-illinois-coffee-table
File name:	SIP_37547492837573264823474325087.exe
Download:	download sample
File size:	611'336 bytes
First seen:	2025-03-17 08:26:21 UTC
Last seen:	2025-03-17 09:23:51 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:PQw8PteVi2zMmN1G6I9p6Fsi24NoIcgbcUjG8TSJkIbunkR:l8PteXNs6op6Ci249xjFSJkVy
Threatray	4'520 similar samples on MalwareBazaar
TLSH	T17FD4F08862B8CF56E9B807F10D30E17447F12D5EA815C74A8DC4BCDF34A1B416BAA7A7
TrID	69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.0% (.EXE) Win64 Executable (generic) (10522/11/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win32 Executable (generic) (4504/4/1) 1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
dhash icon	72ceaeaeb2968ea8 (5 x RemcosRAT, 4 x MassLogger, 3 x PureLogsStealer)
Reporter	lowmal3
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

423

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SIP_37547492837573264823474325087.exe

Verdict:

Malicious activity

Analysis date:

2025-03-17 08:35:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0b57d3b-d9e8-4464-b9b7-ef4a31461e73

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67d7e9ab3962f1a6f4724266

Tags:

virus krypt msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

expired-cert invalid-signature obfuscated packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/67d7dcdc0a7899f3579950c9/reports/e1e5dc4d-9128-4ea7-a467-a9df7fcab8e5/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5e283631-bb64-4423-80ee-3e83f2d2eac1

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1640397

Signature

.NET source code contains potential unpacker

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705/

Threat name:

ByteCode-MSIL.Trojan.Snakekeylogger

Status:

Malicious

First seen:

2025-03-17 08:27:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=etgivqlprbnbtm73gfwmzojaelaa2x6zbns6v2d2ksztjc6ye4cq._file

Verdict:

malicious

Label(s):

unc_loader_037

272b1e13f8fe5c1e0893d98bae35caae57cacd20baeec78da5a2ea7c8a65d4bb

41415c1dab37487faf427095855fb66cafa150ae15b9c515234e1e0b5f733aa8

bdc575548d1c5516325c2ff1261d8220cfdb1e612d13972e665191199cf2aa27

error

+ 4'510 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

discovery

Link:

https://tria.ge/reports/250317-kcgggsvwcx/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/24b14002-275c-4ce6-9f76-93164a718041

Unpacked files

SH256 hash:

24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705

MD5 hash:

4d705556306e3300178e14b7b48b8c33

SHA1 hash:

ba92c7d3c5ecf4b040aebc6be98212519e4ca76f

Link:

https://www.unpac.me/results/b9e0c2cb-eb23-474f-9013-db68a6140c67/

SH256 hash:

f60a24b92fae48f6a753e23756e81bc20d4e9ab0ef8ca2c4c1719e5b521bcfe6

MD5 hash:

7b42e6fe0c33a4479d04426e14ce41c5

SHA1 hash:

0ef906c70ecfd6b3b50fa9d7e4824a6bfc12de22

Link:

https://www.unpac.me/results/b9e0c2cb-eb23-474f-9013-db68a6140c67/

SH256 hash:

6a8ff19ea8c762c3f343ba51307b086182030028383eeaf6bf18fd60a82efa7c

MD5 hash:

aa7385eb4cd3ecce67de7230f4389338

SHA1 hash:

3506b87acac1487843048fe7a7c3761958b50e5e

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/b9e0c2cb-eb23-474f-9013-db68a6140c67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	INDICATOR_KB_CERT_7c1118cbbadc95da3752c46e47a27438 Create hunting rule
Author:	ditekSHen
Description:	Detects executables signed with stolen, revoked or invalid certificates

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 24cc8ac16f885a19b3fb316cccb92022c00d5fd90b65eae87a54b3348bd82705

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample