MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c
SHA3-384 hash: 8bfb70335337d8797438d0d8f9e944557aa397ae40e9df845ab08b51cd78d81ec958c54edd8eb9c16a729b00acd8938a
SHA1 hash: 1ae67cf7561616b8543b83c850b93b1952824be7
MD5 hash: ab928fbd4830f07cf7ac488dca1e746d
humanhash: pennsylvania-cola-georgia-oregon
File name:SecuriteInfo.com.Win32.RATX-gen.12255.26012
Download: download sample
File size:273'408 bytes
First seen:2023-09-13 10:35:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:8uvgD6S2+qU3kNAwGE84AsQvnlBrII/J+M:8uvU2gKAwGE84bQ/ly
Threatray 300 similar samples on MalwareBazaar
TLSH T14F44FA67E31A7C01C69871BA6C12F6B67B34CCF8C5A1F1BDA27C31661A313B1A5E064D
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0eca6f2b0a6ecf0
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Win32.RATX-gen.12255.26012
Verdict:
Malicious activity
Analysis date:
2023-09-13 10:37:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/79d2f24a-aaa3-4a01-b363-b91d809fa39a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448368/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.12255.26012.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Restart of the analyzed sample
Running batch commands
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/65019095f880d6610caea482/reports/814bf505-63fc-414a-b138-b373d9932eeb/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec24aff9-22be-4577-a383-14676854d3bb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308250
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Schedule system process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2023-09-13 10:36:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=feeixdkuqblawsw3xvs3iepde4rdmo6l34gh4gt3ugbp3hir2joa._file
Verdict:
malicious
Similar samples:
0f577ded02719eb48f151789292e2275336827c1aed900902d977b929b577d0f
116934a7b29ac10fb8a050f5cbf37553d567c331d6fbdcadcac1fcc87c34c004
1f46d078bfe514f7aeebf7ac92bd226d10335d74702a81059b9d24f5849437e4
a53d11281e99e8c8a4d0ff272ffd32a43e20e5717e484587788060c71795d9da
a94b8bb36703ea288bae378d8db74f114a3aebf4d04c96ac7f5e561e8a4e5d60
b3c1d51c200dbbeea2ebeacdce3cb1b70fec80bdf8042f177cd152cbe595677a
+ 290 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230913-mm8ptsbd2v/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
dc5decefca218b9683e3ab10d90e44ff3f7c5527d5a870d8b09a9140bc9bc2be
MD5 hash:
5e1cac370bcea429e54cde8ee4dd7aad
SHA1 hash:
9257ea16c835de47644b4b18d02b709858c78965
Link:
https://www.unpac.me/results/f792fba9-2a96-4e9f-b110-b936d04d5dce/
SH256 hash:
ce2c6ebcee384ceccd4a63601ac08b002af5184103e2df64126995aff70b0195
MD5 hash:
3c504f74952f08c720ef378f0d989650
SHA1 hash:
07166002e009c19c5ecc4c262a1740faa3ba9edb
Link:
https://www.unpac.me/results/f792fba9-2a96-4e9f-b110-b936d04d5dce/
SH256 hash:
29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c
MD5 hash:
ab928fbd4830f07cf7ac488dca1e746d
SHA1 hash:
1ae67cf7561616b8543b83c850b93b1952824be7
Link:
https://www.unpac.me/results/f792fba9-2a96-4e9f-b110-b936d04d5dce/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29088b8d5480/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 29088b8d5480560b4adbbd65b411e32722363bcbdf0c7e1a7ba182fd9d11d25c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711423/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/448368/

Comments