MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c38920864774dad1c2f43546ace95b8fb09ccb8439e5d7389639fbc1c9153b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 7 File information Comments

SHA256 hash:	2c38920864774dad1c2f43546ace95b8fb09ccb8439e5d7389639fbc1c9153b2
SHA3-384 hash:	0019107685a0b6cf8c76015d15b336e0b05507f2d06feb6fb458d15fd40472c2ac04bcb99c534ffd59c747527c860d2e
SHA1 hash:	9358a1a5164dbea597583abe1e1bfa2353e7ce2b
MD5 hash:	aa557208f21ea676ff97d6cee2566ffe
humanhash:	louisiana-pasta-lake-orange
File name:	aa557208f21ea676ff97d6cee2566ffe.exe
Download:	download sample
File size:	59'392 bytes
First seen:	2021-11-14 07:21:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	768:8NLNCnx3esWefu390ji3cUugBmoK+3dUyqFTpH0vQIVN2dOrjWyBoRJ8HUQ+K:MC0190EmoK4duVHeVNcOrjWyaK
Threatray	278 similar samples on MalwareBazaar
TLSH	T199437100B2F45F27D7BDA7FA156161100BF264AA75A0F39C4EC6A1EE6566F801F00F6B
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/205622/

Detection(s):

SecuriteInfo.com.UDS.Trojan-Banker.MSIL.TinyNuke.gen.25668.26281.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6190b91cdec3347825a42a0c/reports/0ff83429-453c-4d5c-a942-c17ebdf947ae/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c842bc8e-df45-4664-8638-4e7ccd65dd35

Result

Threat name:

Unknown

Detection:

malicious

Classification:

bank.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/888804

Signature

.NET source code contains potential unpacker

Checks if browser processes are running

Contains functionality to automate explorer (e.g. start an application)

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c38920864774dad1c2f43546ace95b8fb09ccb8439e5d7389639fbc1c9153b2/

Threat name:

ByteCode-MSIL.Infostealer.TinyNuke

Status:

Malicious

First seen:

2021-11-13 21:11:41 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Verdict:

malicious

0f67fd50b46ca7283dc172211a42e3ffab7b524a1e2e23433c34c88e657cd364

1bdb2bb10581f1ff96824ff8e8ee07de970bf051d63c2c9d216ad9744dc75804

34e32621d9d21c70cf705d5306ea55c636b4561f48a32abb91abe9c8ecf77f82

47f7aba81ea18b4228b8df7aebb135cacd5c36c2b9f79ae1c00fdeb961626f8f

48ee5dff920a4d725d5356561c31b5dc86637ff17bb653f0d39cc3485ce905e9

7661bd5c87f1a9ad322c337f11b600dce2b6fe911656ca9fd1aeaf2197451488

85ec9fb4bee90d873565b289a0165f8a543114e8f20b9725786fcb7900a36c4e

cee16f97554960178a201aad26469926cd079a4254c0f3c420b01b59589f0712

d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7

+ 268 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/211114-h683gsdadq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Downloads MZ/PE file

suricata: ET MALWARE TinyNuke VNC Checkin

Unpacked files

SH256 hash:

2c38920864774dad1c2f43546ace95b8fb09ccb8439e5d7389639fbc1c9153b2

MD5 hash:

aa557208f21ea676ff97d6cee2566ffe

SHA1 hash:

9358a1a5164dbea597583abe1e1bfa2353e7ce2b

Link:

https://www.unpac.me/results/d462bc07-17bc-4da2-9c0a-281abc6c0acf/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Encoded_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

Rule name:	SUSP_PE_Discord_Attachment_Oct21_1 Create hunting rule
Author:	Florian Roth
Description:	Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 2c38920864774dad1c2f43546ace95b8fb09ccb8439e5d7389639fbc1c9153b2

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1783578/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/205622/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample