MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff
SHA3-384 hash: 7f74d44eec1b0083fef2caef3ac6a4652c5e8541b48a29b822704c26004cc85d287c1b9b84f9db9a3e43ffa178c02d8b
SHA1 hash: 2d351c44d9c7593eed224e0015c571440f010c8b
MD5 hash: e5967a8274d40e0573c28b664670857e
humanhash: oregon-batman-coffee-vermont
File name:Factura_Deuda_423534.cmd
Download: download sample
File size:1'501'338 bytes
First seen:2023-02-01 15:39:17 UTC
Last seen:Never
File type:cmd cmd
MIME type:text/plain
ssdeep 24576:O509Gg1wDNJ+RR2KzMyFQ1Z4QmdPBMT5xUanIx+kK84Av:PG4vB7su
Threatray 435 similar samples on MalwareBazaar
TLSH T19A65AE3A8AA7FDEE732C280484081D530C48372756A6465CED5B4BBD3EC9621DBAD5FC
Reporter 1ZRR4H
Tags:cmd

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/63da87d4528134caf0438084/reports/b3331493-3371-4634-b9d8-226dd2991ee3/overview
Result
Verdict:
UNKNOWN
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1163631
Signature
Contains functionality to create processes via WMI
Creates processes via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 796400 Sample: Factura_Deuda_423534.cmd Startdate: 01/02/2023 Architecture: WINDOWS Score: 48 25 Contains functionality to create processes via WMI 2->25 7 cmd.exe 1 2->7         started        process3 process4 9 cmd.exe 23 7->9         started        11 conhost.exe 7->11         started        process5 13 WMIC.exe 1 9->13         started        16 certutil.exe 2 9->16         started        19 powershell.exe 17 9->19         started        21 4 other processes 9->21 file6 27 Creates processes via WMI 13->27 23 C:\Users\user\...\Factura_Deuda_423534.a3x, data 16->23 dropped signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-02-01 15:40:10 UTC
File Type:
Text
Extracted files:
4
AV detection:
8 of 26 (30.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gucoiddkht65l6qiijim6sem7hj7vv3d6pbsplknthhqrprsrt7q._file
Verdict:
unknown
Similar samples:
4ae67a52de5f2bcaea6c9158b4b2dfd3b2953885c34063547b736a4a1096fcb2
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
67dfdca1a2d42035d8ef9bde053531051793e2f13e30b8f1fe0a81fdd52e99fb
7e8cb2531d08a6c664969bcbecbdb946fd7e3088ee8a3b4dab805536bf026571
8c631258f16b062dbbc3c6de1c5d27b727e5c7375fdff993a252fdc98814376a
8fe933e8bf76350e1a991f00cb12b9071ba17f5586a001e17da49e6892ac34f5
ae16b2518b997f291f0e51ac7efecf013db94ca7549f8bd87102431bec8a9b69
b3abbc4d6ecd9a9774e53fca4639b59cd5e24fde9bf97742b046ece663eb2e41
+ 425 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/230201-s6gy4sad67/
Behaviour
Delays execution with timeout.exe
Modifies registry class
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/3504e40c6a3cfdd5fa084250cf488cf9d3fad763f3c327ad4d99cf08be328cff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments