MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
SHA3-384 hash: 5827718229f803903d19f4ded257b06d9a11c7f336849ce2a1fb27bd2b6c7020d8e702fb98fc2531bc7e1f5ab3aa7edb
SHA1 hash: f73d6360fca7ca9cf85b56e2419733e42796c8ae
MD5 hash: 2a010bb9775bc739ced3d34f4c0e6175
humanhash: nebraska-earth-oxygen-orange
File name:9876543456789876.exe
Download: download sample
File size:1'058'816 bytes
First seen:2021-10-05 16:12:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:o4k9s1CbULw6fLOQ/TewNBm93HMVprs/lppB:o4k9s1CG//TLNWHEprEpp
Threatray 741 similar samples on MalwareBazaar
TLSH T1FB35022A7657860ED063E73EDD63EB4017A19FA95CE2870EAAC531FD413A7263C50F81
File icon (PE):PE icon
dhash icon 5145032317177149 (1 x a310Logger, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
465
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195130/
Detection(s):
Win.Dropper.Generic-7113183-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a file in the %temp% directory
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615c7990b95458900cdc8888/reports/ab0aee6f-836b-46d1-91df-58878386aaba/overview
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7258988-9b20-488b-9c3d-efd0483be970
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/864955
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497383 Sample: 9876543456789876.exe Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 .NET source code contains potential unpacker 2->48 50 2 other signatures 2->50 8 9876543456789876.exe 3 7 2->8         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\payload.exe, PE32 8->30 dropped 32 C:\Users\user\...\9876543456789876.exe, PE32 8->32 dropped 34 C:\Users\user\...\_Zazmblzjlsqftseho.vbs, ASCII 8->34 dropped 36 2 other malicious files 8->36 dropped 52 Creates an undocumented autostart registry key 8->52 54 Writes to foreign memory regions 8->54 56 Allocates memory in foreign processes 8->56 58 Injects a PE file into a foreign processes 8->58 12 9876543456789876.exe 15 2 8->12         started        16 9876543456789876.exe 8->16         started        18 wscript.exe 1 8->18         started        20 2 other processes 8->20 signatures5 process6 dnsIp7 38 checkip.dyndns.org 12->38 40 checkip.dyndns.com 132.226.8.169, 49779, 80 UTMEMUS United States 12->40 42 freegeoip.app 172.67.188.154, 443, 49780 CLOUDFLARENETUS United States 12->42 60 Tries to steal Mail credentials (via file access) 12->60 62 Tries to harvest and steal ftp login credentials 12->62 64 Tries to harvest and steal browser information (history, passwords, etc) 12->64 66 Multi AV Scanner detection for dropped file 16->66 68 May check the online IP address of the machine 16->68 70 Wscript starts Powershell (via cmd or directly) 18->70 22 powershell.exe 22 18->22         started        24 conhost.exe 20->24         started        26 conhost.exe 20->26         started        signatures8 process9 process10 28 conhost.exe 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-05 14:34:30 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ft5g4cpmn26bqr3ueogwusl56q6f53mmfqb6q3udaqamrn74jtwq._file
Verdict:
malicious
Similar samples:
0de691a91c2cce2b647aafa0fc5abdbfb84e2a91cda8ff93f4f85f2385007901
2d1e7b0b691c806b94f685f348dbe5bb4857edf0408f363314fe97535f4723a1
6ab28a843d5ad26feee60448dfbbb5ddba73da6d5dc5a6a6fb9c0129bc7e3bf6
a7569d53e60e0ac669bdc54b6bc7a81932acf899ec055c7e0eb060d865c8437a
ab7553549ec32422ee868e71eb96fae87439a4c1333e400d455f31d0b74c8ef2
cceb66dfe8d4e74b4f6ea988cb978e0438f29ffdb0923d7cb0590583fd31c46f
+ 731 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/211005-tn3njaaag7/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
105904f9cecd263829f26ad749db6956a10f5c8485d0ea574fa506d19473f9f6
MD5 hash:
927c2e20d6b3b09d837db50e97660821
SHA1 hash:
1ec26bc325d5c72b42f427d252c503f6b16b2041
Link:
https://www.unpac.me/results/77486c13-dce8-4437-8479-ca9797c34676/
SH256 hash:
2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
MD5 hash:
2a010bb9775bc739ced3d34f4c0e6175
SHA1 hash:
f73d6360fca7ca9cf85b56e2419733e42796c8ae
Link:
https://www.unpac.me/results/77486c13-dce8-4437-8479-ca9797c34676/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/2cfa6e09ec6e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/195130/

Comments