MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3
SHA3-384 hash: d2b0daba94bd75ff97719793002ebdf4595f76551faffa4229337f8b4d05905be09199945c0f156ab53a23f0d8d4c9e6
SHA1 hash: d1a182b6030ca04e82342fb1c3d01255c9631708
MD5 hash: 2415c1f7de7b48be235bd153e7eb2470
humanhash: kilo-snake-chicken-eleven
File name:2415c1f7de7b48be235bd153e7eb2470
Download: download sample
File size:9'266'176 bytes
First seen:2021-06-17 19:48:19 UTC
Last seen:2021-06-17 20:33:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:WUgSQbaCDWr9U4XYCVx49bgZn8ESbHWJDz+JHYGv:WUd+WZmCr4RSSKJXKHYG
Threatray 5 similar samples on MalwareBazaar
TLSH B296330AA34D9373C1A30DB8D556CF745127AF296440219A60E2BEFB7131B8F62CB677
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2415c1f7de7b48be235bd153e7eb2470
Verdict:
No threats detected
Analysis date:
2021-06-17 19:51:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bfe75bc8-e015-4577-b11c-ea432c77457c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/166644/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.835.5672.18678.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0d9fb60-20f4-47a4-b20f-87b12809acc9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/803928
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 436339 Sample: 5nmtmztkPp Startdate: 17/06/2021 Architecture: WINDOWS Score: 100 78 Multi AV Scanner detection for dropped file 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->82 84 2 other signatures 2->84 9 5nmtmztkPp.exe 3 10 2->9         started        13 7B8U.exe 2->13         started        15 7B8U.exe 2->15         started        17 2 other processes 2->17 process3 file4 60 C:\Users\user\AppData\Roaming\...\conhost.exe, PE32+ 9->60 dropped 62 C:\Users\user\...\Olteepoyqmultiwins.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\...\5nmtmztkPp.exe, PE32+ 9->64 dropped 66 3 other malicious files 9->66 dropped 88 Creates an undocumented autostart registry key 9->88 90 Writes to foreign memory regions 9->90 92 Allocates memory in foreign processes 9->92 100 2 other signatures 9->100 19 wscript.exe 1 9->19         started        21 5nmtmztkPp.exe 4 9->21         started        94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 98 Tries to delay execution (extensive OutputDebugStringW loop) 13->98 signatures5 process6 dnsIp7 26 Olteepoyqmultiwins.exe 2 5 19->26         started        70 zloy.hopto.org 89.216.188.191, 5500 SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze Serbia 21->70 58 C:\Users\user\AppData\...\5nmtmztkPp.exe, PE32+ 21->58 dropped 86 Multi AV Scanner detection for dropped file 21->86 file8 signatures9 process10 file11 68 C:\Users\user\AppData\Roaming\...\7B8U.exe, PE32 26->68 dropped 102 Multi AV Scanner detection for dropped file 26->102 104 Creates files in alternative data streams (ADS) 26->104 106 Machine Learning detection for dropped file 26->106 108 2 other signatures 26->108 30 cmd.exe 1 26->30         started        33 cmd.exe 1 26->33         started        35 cmd.exe 1 26->35         started        37 4 other processes 26->37 signatures12 process13 dnsIp14 110 Uses schtasks.exe or at.exe to add and modify task schedules 30->110 40 conhost.exe 30->40         started        42 schtasks.exe 1 30->42         started        44 conhost.exe 33->44         started        46 icacls.exe 1 33->46         started        48 conhost.exe 35->48         started        50 icacls.exe 1 35->50         started        72 212.192.241.97, 49717, 49720, 49723 RAPMSB-ASRU Russian Federation 37->72 74 cdn-110.anonfiles.com 217.64.149.229, 443, 49718, 49721 OBE-EUROPEObenetworkEuropeSE Sweden 37->74 76 anonfiles.com 172.64.174.30, 443, 49719, 49722 CLOUDFLARENETUS United States 37->76 52 conhost.exe 37->52         started        54 icacls.exe 1 37->54         started        56 4 other processes 37->56 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-17 19:49:10 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
20
AV detection:
13 of 46 (28.26%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
23d67bc537f5cfd46de2cba9580f80cdfb06e85a57ad74d3da20ed1196528d1c
55eec417f10cfdb7d6442a5ed87fa2cc9ae0fd4810672eaf95a223b4ad0ba894
5db793f73ecffd1d88da746f8ce03d798b65b9ab2bc13df307f25de29be546dc
65e13743faf495eef0607f5b9b0bd2cc3ce340b2ea08782c61a36952a955d2f9
8b3f0e932a336d8651b421b8437389bb7ca6242debbd22add47afbcb913b102c
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210617-patg59zh72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
Modifies system certificate store
NTFS ADS
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Unpacked files
SH256 hash:
26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3
MD5 hash:
2415c1f7de7b48be235bd153e7eb2470
SHA1 hash:
d1a182b6030ca04e82342fb1c3d01255c9631708
Link:
https://www.unpac.me/results/03a35b68-b0b3-49d7-a47d-75caaf889a48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 26065132cd1008e7160ce9b640f83305a95053b91ae82deadb98c55b551503a3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1373842/
Cape
Cape
https://www.capesandbox.com/analysis/166644/

Comments