MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 5 File information Comments

SHA256 hash:	29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e
SHA3-384 hash:	666cb2d39bed973561d51e1d7c53ab5beb1e0786ffafca1de3e35f0b9d84a92e6f251c73670de8454b12c9f79da26320
SHA1 hash:	0cab42dd6ce265e6432c3de5f19a1819e1ff760b
MD5 hash:	b7f4500eb6bceebd8f2791046cdeece5
humanhash:	grey-may-mexico-eighteen
File name:	b7f4500eb6bceebd8f2791046cdeece5.exe
Download:	download sample
File size:	1'633'792 bytes
First seen:	2024-08-19 07:12:01 UTC
Last seen:	2024-08-19 07:35:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	24576:YZuv0+G42OGtjtv/byd1mHPHdqJez3eySV2nVOEVCSPJCiDsLi6gfdFA5Bbf6UOd:suMT4zGtjtK1mAs3eRWyQfWJfpOZG
Threatray	5'487 similar samples on MalwareBazaar
TLSH	T11E75239433CDDB47E2AF1B7A58E581608B76A682F111DB496CC8DAE105477682F083FF
TrID	67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.7% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

359

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b7f4500eb6bceebd8f2791046cdeece5.exe

Verdict:

Suspicious activity

Analysis date:

2024-08-19 07:37:06 UTC

Tags:

netreactor crypto-regex

Link:

https://app.any.run/tasks/510bf7f3-33a0-461a-ad11-165b80781fae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.RATX-gen.19539.17295.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66c2f04fb35234d5cc660a3b

Tags:

n/a

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/66c2f04b9a458267e53eb657/reports/e35d69fd-55d3-407c-9ee8-c5fb2f27ca14/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9bc2d994-c276-4700-a036-8c372b724480

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1494784

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e/

Threat name:

ByteCode-MSIL.Trojan.Jalapeno

Status:

Malicious

First seen:

2024-08-19 07:12:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fgtkym36bnchn3fgjncwnu4n7mvgzxfu5gdgplx3ztxwx4idgnha._file

Verdict:

malicious

29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e

64732145f8b389f46eb987ad69455123b54a36d6749e0687f372d711010bc013

98bd4ef353739dc8198b8c460c5bfb82b412e57d3db1f3180f8f5bf6d3b4a197

c056211b404b7fca81ed1ab8b796cf3f67f4ea63d9bb14c121a0f9a169348fb7

d9daa532bee0fea06a91794b95b2e89a13477ed2e900178712141f147f60befe

+ 5'477 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/240819-h1jweatfrl/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/74b5a85f-57a2-4fcd-9ea2-1b5a20320f21

Unpacked files

SH256 hash:

b32f03df9950d9ceee34cef1ff92af62f80141b33fbc2fcb33fe23be83a2194d

MD5 hash:

f7e2eb9a02d2febdd1b677781f812945

SHA1 hash:

68100447777513126caf21e9e2c0a7d139193aca

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

7c7fa86c0afb8507247b74c9cbd7bfa22cc2045470b1f2887318aa2dbf254124

MD5 hash:

77d1f24a596894d97f7643e555d79ee4

SHA1 hash:

292f8a13e5ec7507ec7344829cec5e728ba4cdd7

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

d51fff3aa2b5aaa16b185143cc51293eb774ba131d8435170cfae96117d41e97

MD5 hash:

b82b4a4c09dc237ef81996b92e905a9e

SHA1 hash:

f8b8bb849a526e0920d8fe0c39b335022aa33210

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372

MD5 hash:

4e29f75c0c51b9dec76955f0382d9541

SHA1 hash:

4899aa8e3f57339cbaec8faab777897a76fe1c3a

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677

MD5 hash:

f9d2985aa1c41cca281321fffb5ed424

SHA1 hash:

3a7a58d2dcae2762882357ae34d372744b1dbb9d

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

3da1a65206382fd73f3e950c9ded2f0b8d4966eb8ce59d0fb8d322750f3c1ec9

MD5 hash:

4837ddc35bbae183639596153b5a584b

SHA1 hash:

37f42c15ab53d0a2141db316e60562c8a5702c1a

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

5a8fa06d5a6e899d3b2d5fb6a01a0a88405aed4999796737173fe424a2262c99

MD5 hash:

7dceaa9d1049ba6cd45047bd2a65fbb5

SHA1 hash:

0ee6b04763d318eceb06e01d646fdf0f5f459d41

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

SH256 hash:

29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e

MD5 hash:

b7f4500eb6bceebd8f2791046cdeece5

SHA1 hash:

0cab42dd6ce265e6432c3de5f19a1819e1ff760b

Link:

https://www.unpac.me/results/fb025157-1d8f-4f52-afc7-a76081b66777/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/29a6ac337e0b4476eca64b4566d38dfb2a6cdcb4e98667aefbccef6bf103334e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample