MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88
SHA3-384 hash: 5f709f4705411e25437a911525b6a836f90b72c1fcb88bd03ca19923338a2f99a11ccb383ed73272ea2cf51f419f458d
SHA1 hash: 7de01094a5bffd81aaf8aa9cabdb43688aa12d4e
MD5 hash: 738047024e2741cee1cd2da5be5b50b8
humanhash: two-march-illinois-fanta
File name:738047024e2741cee1cd2da5be5b50b8.exe
Download: download sample
File size:356'864 bytes
First seen:2021-08-17 09:32:32 UTC
Last seen:2021-08-17 10:46:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 617bb54b6d8ec8aa7b0fd7d08ca3c09a
ssdeep 6144:mFM9NCYOqCUgr4pvYiyJvz0mVYjzksGdYnIVG6exbHKeLnfTvkmDfaxMB:b9kYOqYr4pvY/0mNXaIVExbHPnfTvExM
Threatray 36 similar samples on MalwareBazaar
TLSH T18074AE30B791C035EAA731F459B683B8662D7DB04B2471CF92D52AFE16346E89C3178B
dhash icon d824e790c4e72158 (30 x RaccoonStealer, 18 x RedLineStealer, 16 x Smoke Loader)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
738047024e2741cee1cd2da5be5b50b8.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 09:34:37 UTC
Tags:
trojan loader
Link:
https://app.any.run/tasks/feafda82-24a6-4c38-b22a-cea78bd1bcda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179922/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader41.14748.18707.1237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Connection attempt
Sending an HTTP GET request
Deleting a recently created file
Replacing files
Sending a UDP request
Launching a process
Launching cmd.exe command interpreter
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Downloading the file
Blocking the Windows Defender launch
Launching a file downloaded from the Internet
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/88eb50e8-df07-4178-83b2-9b050565e746
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834233
Signature
Antivirus detection for URL or domain
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell download and execute file
Sigma detected: PowerShell DownloadFile
Sigma detected: Suspicious PowerShell Keywords
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466664 Sample: 2hFjeTuH0G.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for domain / URL 2->70 72 Antivirus detection for URL or domain 2->72 74 Sigma detected: Powershell download and execute file 2->74 76 10 other signatures 2->76 11 2hFjeTuH0G.exe 3 2->11         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        process3 file4 58 C:\...\Runtimebroker.exe:Zone.Identifier, ASCII 11->58 dropped 100 Detected unpacking (changes PE section rights) 11->100 102 Detected unpacking (overwrites its own PE header) 11->102 19 Runtimebroker.exe 18 11->19         started        104 Suspicious powershell command line found 15->104 106 Obfuscated command line found 15->106 108 Tries to download and execute files (via powershell) 15->108 23 powershell.exe 15->23         started        25 conhost.exe 15->25         started        110 PowerShell case anomaly found 17->110 27 conhost.exe 17->27         started        29 powershell.exe 17->29         started        signatures5 process6 file7 52 C:\Users\user\AppData\Local\...behaviorgraphetFile3[1], PE32 19->52 dropped 54 C:\ProgramData\Runtimebroker_new.exe, PE32 19->54 dropped 78 Detected unpacking (changes PE section rights) 19->78 80 Detected unpacking (overwrites its own PE header) 19->80 82 Suspicious powershell command line found 19->82 86 3 other signatures 19->86 31 Runtimebroker_new.exe 2 19->31         started        56 C:\Users\user\AppData\Local\Temp\Vpnm.exe, PE32 23->56 dropped 84 Powershell drops PE file 23->84 35 Vpnm.exe 23->35         started        signatures8 process9 file10 60 C:\ProgramData\Runtimebroker.exe, PE32 31->60 dropped 64 Detected unpacking (changes PE section rights) 31->64 66 Detected unpacking (overwrites its own PE header) 31->66 68 Machine Learning detection for dropped file 31->68 37 Runtimebroker.exe 22 31->37         started        signatures11 process12 signatures13 88 Suspicious powershell command line found 37->88 90 Obfuscated command line found 37->90 92 Tries to download and execute files (via powershell) 37->92 40 powershell.exe 1 14 37->40         started        44 powershell.exe 16 15 37->44         started        process14 dnsIp15 62 193.56.146.55, 49706, 49741, 49747 LVLT-10753US unknown 40->62 94 Very long command line found 40->94 96 Creates autostart registry keys with suspicious values (likely registry only malware) 40->96 98 Disables Windows Defender (via service or powershell) 40->98 46 conhost.exe 40->46         started        48 conhost.exe 44->48         started        signatures16 process17 process18 50 Vpnm.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88/
Threat name:
Win32.Trojan.Fragtor
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 09:33:14 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff
3474885d8a6ef157d6e9893df6c81bcb8273a1f438d641b4a9324ab3823b6539
4889d6f41ad3867c0c32f3a4a673cc8c6bf8e7724d003c62ffe657aa190dda2b
5185c2ed67f7d2b19d3fe2ea6e1d6c89e597f633a5df206bd536620411e7db77
8f2789b6a628a92f9f6313305b255c405f867c49161bb864263dcfef5a6f712d
96ab0a5a858b541c6e6fc44588405d29f8ba18bf8e8ff4af25b235135bbfd01a
b2ef736fad89cf9a80e5c37e4c8e0bcfec77ab815f4176f939569b0b525b8de5
de83c34f12bd4585c2428b672648046e3cd4e7489adb6bdcd592b2751a901cc1
e33c5b9d362c0f6a91945fdcb337f4e90d2cdf9397fac4ee0b5af9d7a96e4956
f4061f8c3a11c9a7fd8e0d1d213594cbdcbe85aa1ab02ac8c76f6897e1f9ef02
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210817-gezf7421yx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Defender Real-time Protection settings
Malware Config
Dropper Extraction:
http://193.56.146.55/Api/GetFile4
Unpacked files
SH256 hash:
84116ab76a7f85a45880b421dce02d55d2d3c6b8e72d9e95f0c4e06423067d6f
MD5 hash:
fd8e905950fdc23faf814ea74aad6b01
SHA1 hash:
acbe9f38a2ba6b44f54a98194a923d6e78d7deb7
Link:
https://www.unpac.me/results/a76ecac9-39f6-4aa2-a1f7-020314ec33ff/
SH256 hash:
29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88
MD5 hash:
738047024e2741cee1cd2da5be5b50b8
SHA1 hash:
7de01094a5bffd81aaf8aa9cabdb43688aa12d4e
Link:
https://www.unpac.me/results/a76ecac9-39f6-4aa2-a1f7-020314ec33ff/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 29b6472345fb0eaf95759b22e748fc893ea0537c79fecb9ff4fdfb70d642dc88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1525305/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1524012/
  
URLhaus
https://urlhaus.abuse.ch/url/1523998/
  
URLhaus
https://urlhaus.abuse.ch/url/1529939/
Cape
Cape
https://www.capesandbox.com/analysis/179922/

Comments