MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29e9bb0fe606371bd16d7f1476e089c9bf463caf5cd2c67ac2b3f1148e760a03. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29e9bb0fe606371bd16d7f1476e089c9bf463caf5cd2c67ac2b3f1148e760a03
SHA3-384 hash: 240fbf8dd8dade9469d23529fc1e2a22c730332801898c8fb30cd21309d151594f5c9a79dbaa3ca03af3aa4e8b4bb2ff
SHA1 hash: abafa5050e3ce833ccb0d1d4492a204e9cd14c3a
MD5 hash: 708a4a5d159fcc9dfa5018b804d4e384
humanhash: red-alabama-hamper-ink
File name:Pnkwpmyg.bin
Download: download sample
File size:3'102'720 bytes
First seen:2020-06-24 08:37:28 UTC
Last seen:2020-06-24 09:47:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:JzHIwReXywkmanWNdGrhyIvUpUANMlY8Ds2Lgztj0BG2:QCwYKSG
Threatray 77 similar samples on MalwareBazaar
TLSH 16E501413F649A97E5BE03F965A38D7947B4F027E0E9E75D3F48A1ED1996B00F80220B
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13621/
Detection(s):
SecuriteInfo.com.Variant.Ursu.922517.8385.24515.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a custom TCP request
Creating a file in the %AppData% directory
Launching a process
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Running batch commands
Creating a window
Using the Windows Management Instrumentation requests
Deleting a recently created file
Forced shutdown of a system process
Unauthorized injection to a recently created process
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29e9bb0fe606371bd16d7f1476e089c9bf463caf5cd2c67ac2b3f1148e760a03/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 08:39:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
204d3c9b626e4bbac7012901f30592bf7408c66edb80ce1dda55f6d9421cb7f8
29439e35bf9add60699929389efd7a15baecaa95f7d36d03f446ab629f1c4b49
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
51401fa98405461758f1602a4394280504e89b4bad49c97e4ea058a1c9788474
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
ccdf6799e7fceaa24cdaaf41ba79fdafaf04a2a8e64dd9bf40cf3ddce9345adf
f902d33ba5996db886cd1f33e62759cd13605c1c825e3214032f92c4fed730b8
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/200624-yrc8fgyhba/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Looks up external IP address via web service
Loads dropped DLL
Deletes itself
Executes dropped EXE
Disables Task Manager via registry modification
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/13621/

Comments