MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961
SHA3-384 hash: f17e512b23feec226f3206fb6e7df62a9e1c55567fb69222a650a88e026ed4742509b85ec18547a2cda5968089cf904e
SHA1 hash: 099fead1007aced6b076bdc9e4d91b7f761c3fcd
MD5 hash: 555817315b68de1ba3650ca51202863c
humanhash: lake-east-sink-johnny
File name:555817315b68de1ba3650ca51202863c
Download: download sample
File size:6'959'616 bytes
First seen:2022-09-14 08:12:13 UTC
Last seen:2022-09-14 09:51:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:O8aPzgcIJdcDzmASzkFHMg/oresdX0TiBbj85VB:RQF3mASzkFsAWoiBbj8
Threatray 19 similar samples on MalwareBazaar
TLSH T1ED6622A271C1664AD9397B3581DB6558F7F28303FF41C6817F9611A80A3ABDEF01E293
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e0c6c24143a2c4f0
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
275
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309970/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.41451.2612.29401.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex obfuscated packed
Link:
https://www.filescan.io/uploads/63218cebba7b8113dd5ea170/reports/2a3e59c9-0355-4413-a23e-2d3b93600cb7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62c32ed5-82cd-4ef2-b771-a909373e81c7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1070119
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961/
Threat name:
Win32.Trojan.Badur
Create hunting rule
Status:
Malicious
First seen:
2022-09-14 08:13:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fc2y4olvjoq4akoluhwqowaiyf5tawtd5t35g7mf4ucgsx5r5fqq._file
Verdict:
malicious
Similar samples:
004b746d57ada0e9f1a627606fb49c9ba5dabedde5cb7fa593b26463e7699dee
35b846afc6bf51292d8a401a68a24a0e36d131d7798ceaa8713f08b6942fe0b5
7df7f78433b9d53bc845ef8d9b49c9978b485d549161b2304fd75a9cfbbcf2ca
99d9fe42d05e4c368933ec8586627943545b16598a6112e45c01c5552e68ab20
9ad27fa8bb7d8258fb1e572c94d107181ba2314a4db4d3222c3e0dc407493b45
a67a8977a2c5bd54fdb3cbc35c1242b14d44d98e5d12591bd9bb2fb15458ba33
c07f21b38cf4d698249303d84e443178064da98cbc21be26c5d4a20451444ddf
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet
Link:
https://tria.ge/reports/220914-j4earshfc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e650010c-cf29-476d-a3b4-da18d16bd3cd
Unpacked files
SH256 hash:
48e876d0cbd393085fcc271a9550d4cd075ddbde87514d6c1d5176f151c01815
MD5 hash:
b214470d596816fec128124ace47761b
SHA1 hash:
f362e79bb57d38a11e1be58ad82c26ba3bb26155
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
0a8b297690f0299c89bec3e6508814b3c5834a540ec3370f1e6da1b8c87e5e6a
MD5 hash:
b67c8ddf67be8f8eba4e21f422c67c8c
SHA1 hash:
0326f5120ed4337c940b4be413f97c9cb9251602
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
074722f4b6b4900c377837852d9c4e690d882f4a1e570765f3c796dc16751579
MD5 hash:
8a51ae838ed8140875960a3908ef9d36
SHA1 hash:
e474f635daace2a75a2ed9ad00dba1128b11e14d
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
MD5 hash:
9af5eb006bb0bab7f226272d82c896c7
SHA1 hash:
c2a5bb42a5f08f4dc821be374b700652262308f0
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
9dd2027bfb882deda4935d8c4410d5601d724605a6231550855cfaf28aae889d
MD5 hash:
2bab02b6c1edfac97f112fb7173e8bd7
SHA1 hash:
621454fc49a602a546847e58ba6465baf89bd0c1
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
86d3053ad9366fef9ada575c9a4898ee5ac62067f1fa4c5914831f26b4dc9642
MD5 hash:
c57a6c026cd6ea2870b83a423e6de4eb
SHA1 hash:
4177bd227f4bed55c7715091c7117f210650343d
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
0755eac8c9d2b3364250ce7238c4f2df5b4398d1b77de52a2375bb6d19e10cfb
MD5 hash:
05d50a205f50b059fd62da7a3eb0b724
SHA1 hash:
1bf414540b45f58d754583e569baf66700413fdd
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
SH256 hash:
28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961
MD5 hash:
555817315b68de1ba3650ca51202863c
SHA1 hash:
099fead1007aced6b076bdc9e4d91b7f761c3fcd
Link:
https://www.unpac.me/results/1eb9c74b-b397-45d6-a126-9f09e1510c73/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AlphaCrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 28b58e39754ba1c029cba1ed075808c17b305a63ecf7d37d85e504695fb1e961

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2302325/
Cape
Cape
https://www.capesandbox.com/analysis/309970/

Comments


Avatar
zbet commented on 2022-09-14 08:12:16 UTC

url : hxxp://81.161.229.110/htdocs/yYJGpNCWjTgPSFd.exe