MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0
SHA3-384 hash: 9e6ecf7c819f64d3e02d01873d33dd63a093020f0f1dfc73657e825661f5f370aa056844f667715554ca4a9512ae383c
SHA1 hash: 1f8041352cccf9c6be8cb896b3ff62b5eebc30a3
MD5 hash: a598a99e367b6c32e50d4c25f1f402a2
humanhash: west-batman-orange-artist
File name:a598a99e367b6c32e50d4c25f1f402a2.exe
Download: download sample
File size:11'776 bytes
First seen:2022-12-20 16:50:38 UTC
Last seen:2022-12-20 18:29:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:ChEYPfrIhLz62IpOl2yisLfcx+2O3FG3c4pE:KnrIhLzXIpRydu+2O3w3l
Threatray 4'978 similar samples on MalwareBazaar
TLSH T1B8329607B294D82AC8594F329897C7E11E387D107D92CF1F35E07B4F6D36392B9522A2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 80caa6f232fabcbe
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a598a99e367b6c32e50d4c25f1f402a2.exe
Verdict:
Malicious activity
Analysis date:
2022-12-20 16:58:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a8d9bd80-8de3-4418-86ca-f6935982cf2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/348448/
Detection(s):
SecuriteInfo.com.Variant.Ser.Tedy.2724.66.29817.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending an HTTP GET request to an infection source
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63a1e7f8d2108f6a6f3810e1/reports/e2b41eef-87d8-46a5-8205-eafefdc16bae/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/67438e15-bf02-4aac-95f1-89efbaad47c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1138098
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-12-20 14:53:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
9 of 41 (21.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gor37ncnklszggisixbzwrjuox323lbyoimvswippqsy2owpqsqa._file
Verdict:
malicious
Similar samples:
1cd90a306cb04ddc66545e47d7ca55d2bbc1dc0877d79f0cdfabadedc43f87e7
261711de27d5ff2dca6ab8a29d6c71dc2f897b8f9fe93be7f7a499f46e5caad0
287833f2222f3e460990b859f8b198280d04561d3930df5946f9dd3a044218b9
7f907663cf0408b52168de1a1182e0185bebffe4554d2e1c713869a9a63d08d9
8dc1691f86f99af947d8056784c28458396821c4b1ce288e8e2a882b0585304e
e4fe83229273ab25badd1e4bfb7fd5842504b91d2e660e997ecc1c845d7054b3
e6d52698d201c0e3dc8a52d6694ecf314a08a5bbc61170dce932a4d9762118e4
e786277086340b57fe809a77cf9ccf0637c59d049abd8b54588fc6193dd2bdf8
f99cf4e79efb37bea41405c5701f8ce7f86dea17a05b0c89f8f775c28458b214
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
+ 4'968 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221220-vctrxsad52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0
MD5 hash:
a598a99e367b6c32e50d4c25f1f402a2
SHA1 hash:
1f8041352cccf9c6be8cb896b3ff62b5eebc30a3
Link:
https://www.unpac.me/results/d97640ab-ef85-4a63-914e-d07fddfc7aa1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AsyncRat_Detection_Dec_2022
Create hunting rule
Author:Potatech
Description:AsyncRat
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 33a3bfb44d52e593191245c39b453475f7adac38721959590f7c258d3acf84a0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2444763/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/348448/

Comments