MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98
SHA3-384 hash: bf7a4b4223575041292c91ae90a56edf65c7e4688795afcd781560f616640ccf49bac15d7a07d337a947b3686521520b
SHA1 hash: 5112f18009ee1e98957cfc4ffc5fd0c8920fce3c
MD5 hash: f4b5bf2340ee26ceeb762e7f288e9e73
humanhash: cup-three-indigo-wyoming
File name:f4b5bf2340ee26ceeb762e7f288e9e73
Download: download sample
File size:2'789'376 bytes
First seen:2021-06-28 12:43:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 49152:SVg5tQ7a3KW5JQVqVwzRNm90eHqhdMc5PQpHf5:cg56cjQq2bm9VHQdM0o
Threatray 1'048 similar samples on MalwareBazaar
TLSH AED5021373DD8365C7B29273B916B7326E7B7C2506A5F45B2FD8293CAD30162420EA63
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f4b5bf2340ee26ceeb762e7f288e9e73
Verdict:
Malicious activity
Analysis date:
2021-06-28 12:45:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2b21672e-b694-4a5a-b558-4445b897118b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168586/
Detection(s):
PUA.Win.Packer.Msvcpp-1
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/334f5378-6651-4a24-9d47-1756fdbfdd4f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/808818
Signature
Binary is likely a compiled AutoIt script file
Creates an undocumented autostart registry key
Installs a global keyboard hook
Modifies security policies related information
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 441229 Sample: BkWC7uAq3c Startdate: 28/06/2021 Architecture: WINDOWS Score: 64 43 Multi AV Scanner detection for submitted file 2->43 45 Binary is likely a compiled AutoIt script file 2->45 8 BkWC7uAq3c.exe 22 2->8         started        process3 file4 29 C:\Users\user\RDP6\ConnectionClient.exe, PE32 8->29 dropped 31 C:\Users\user\RDP6\mstscax.dll, PE32 8->31 dropped 33 C:\Users\user\RDP6\mstsc.exe, PE32 8->33 dropped 47 Binary is likely a compiled AutoIt script file 8->47 12 ConnectionClient.exe 13 21 8->12         started        signatures5 process6 dnsIp7 37 172.30.40.22 ATT-INTERNET4US Reserved 12->37 39 172.30.40.220, 3389 ATT-INTERNET4US Reserved 12->39 41 192.168.2.1 unknown unknown 12->41 35 C:\Users\user\RDP6\TsCredentials.exe, PE32 12->35 dropped 49 Creates an undocumented autostart registry key 12->49 51 Binary is likely a compiled AutoIt script file 12->51 53 Modifies security policies related information 12->53 55 Installs a global keyboard hook 12->55 17 TsCredentials.exe 1 12->17         started        19 TsCredentials.exe 1 12->19         started        21 TsCredentials.exe 1 12->21         started        file8 signatures9 process10 process11 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 21->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-06-28 12:44:11 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0a44ee4a63f01378570de7668ee2daa17534d296a6ff2c45bc14d8f9b07bb837
0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
1a1e969edb406d8003cbfca1cdcebb8d14a882ae200c3c43891e3c98a0cb0c9c
3b53e6ff0f0dc7291d7c1d74913a971a488b0364fd2b10527d25e175233e2654
3c33735f1fe5c4eb58b13703f2b97e472e2b9ffcf0e083756ebe7111b227bb30
5f788a4f3f135a5a5533ed8f83871369850b790f9114ecd672421f171a9b8000
9a2ffcf3f6be8f2fb3ea792c854fbe72e907c99391ded77733a1401d4d168e9e
bb831ab940a6594bdf6bf1c917c9d879e0276e5143b55d0b91aa3d88d2785813
ed4d81c2e471c379a98cce49aba9fabcdbf1b56b02a8d724fb76c53bd33121db
f8166e1205c9dd0761f42f47c8d3e3c944b72b1fd3713a0383040f263987a649
+ 1'038 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210628-pjb2sa7cne/
Behaviour
Checks SCSI registry key(s)
Modifies Control Panel
Modifies data under HKEY_USERS
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
autoit_exe
Checks whether UAC is enabled
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
UAC bypass
Unpacked files
SH256 hash:
b6db60c73aa8b0068504b71971ce3454a6d77b91b083e07224c1c9d8797aac41
MD5 hash:
cab8061bfcbd8fb7b14922f6de816d1a
SHA1 hash:
b04c68593afb90f68a57ea4fbf65ca9665d69a20
Link:
https://www.unpac.me/results/a24733a5-9eaf-4370-8f1b-d9485f271e10/
SH256 hash:
27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98
MD5 hash:
f4b5bf2340ee26ceeb762e7f288e9e73
SHA1 hash:
5112f18009ee1e98957cfc4ffc5fd0c8920fce3c
Link:
https://www.unpac.me/results/a24733a5-9eaf-4370-8f1b-d9485f271e10/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 27184266a647b3678779aef4ce2938a45d76a9ef56f1fd53e9722c8deec87e98

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/168586/

Comments