MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69
SHA3-384 hash: a5c5338e771599343badb4cd88e4be539ca4cc71c328ecfaeaedd65595bf06e9fa7371e684e14150a841e4778efc99b0
SHA1 hash: 7cb19509930f514f5873f831b21edd4a0e7ea7e0
MD5 hash: c766e93afb7c2481572f3d672d5962a2
humanhash: sweet-nevada-asparagus-sierra
File name:SecuriteInfo.com.Variant.Strictor.272954.13940.17743
Download: download sample
File size:945'152 bytes
First seen:2022-06-22 04:37:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:D1YivcYiOw9F0vw9FEY9lw9FDc991zpPYB4onq4YiOw9F0cYiDw9F0cYiOw9F0:DFvSOGGvGDlGhaHPQ4AqWOGGSDGGSOGG
Threatray 1'438 similar samples on MalwareBazaar
TLSH T1C815F1203284A747D07B17BA517093500BF577662AA5DE0EDF826CFA3A6E733460CE76
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 4acd564949668504 (20 x AveMariaRAT, 1 x RedLineStealer, 1 x LaplasClipper)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282160/
Detection(s):
SecuriteInfo.com.Variant.Strictor.272954.13940.17743.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b29cc149d6271f1a7655ad/reports/f05eddd8-c6a6-4cc7-8f4c-b22cf7aa1d9f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/720569e2-7eaf-474a-996d-3ae6770a72c5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1017615
Signature
.NET source code contains potential unpacker
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-22 04:12:35 UTC
File Type:
PE (.Net Exe)
Extracted files:
63
AV detection:
20 of 41 (48.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fat33pb3dudpsz3brvsxuumg3fsjhly5sms2yvc3lcjtbw2zrzuq._file
Verdict:
malicious
Similar samples:
126f4b059eb850623ada989960bb5ab6cb935786c435872b55b8c25b90332053
361aefa20296e948087c008c5406e913b904822b7211c39b671d2f202dcd59fa
9a95de1cbc2bc1bbb8b87c0ea935b9c6675ce2a712465a40cbb2f4dfb85d711f
a4909a33752937758066e89e1d50779e4287f893455eb59459345fe2a867d489
c946622e70eb857612f03cd647c2675d41595661e06b18ad189b8591433c06a6
ebcf3aeae13aefe1081740f50900a39816f4d8cc4b6699365001b79fdd69d22b
+ 1'428 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220622-e9dh7sbbf7/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/ecca08db-785f-42d6-9cca-5d67bfd824e4/
SH256 hash:
6c6fcad45381c07c679309b50e826243473473c9cb77d3cf2017ecd133a75c78
MD5 hash:
ea39d687d58cd9059cc82c78cf0480b9
SHA1 hash:
b5320e6576083d0d9b1281828b898593be7efa88
Link:
https://www.unpac.me/results/ecca08db-785f-42d6-9cca-5d67bfd824e4/
SH256 hash:
880c9ff80de33cde042ab26d75677dab18fdc7695908d615c44efa8b5d8e088a
MD5 hash:
07e1e5baea35d75e784cce3b991a5fdc
SHA1 hash:
2f5cd9ad4acec13ddb49f9d69093f9fe475342c2
Link:
https://www.unpac.me/results/ecca08db-785f-42d6-9cca-5d67bfd824e4/
SH256 hash:
2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69
MD5 hash:
c766e93afb7c2481572f3d672d5962a2
SHA1 hash:
7cb19509930f514f5873f831b21edd4a0e7ea7e0
Link:
https://www.unpac.me/results/ecca08db-785f-42d6-9cca-5d67bfd824e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/2827bdbc3b1d06f967618d657a5186d96493af1d9325ac545b589330db598e69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282160/

Comments