MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9
SHA3-384 hash: 613a31bc19fa5a455f959a07b34e334e6f5cde152d6ed7e96ba51b45f3797c95c855f8fba34d3d25b72afcc98abc035e
SHA1 hash: 1edec7885452133f553cae99a656b77dc89670c3
MD5 hash: fcf037a887e9e2674b6e5e3d9f241b02
humanhash: mango-idaho-georgia-six
File name:fcf037a887e9e2674b6e5e3d9f241b02.exe
Download: download sample
File size:650'328 bytes
First seen:2020-08-31 13:31:11 UTC
Last seen:2020-08-31 16:35:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rb48FDZQN34w6szVqqdvGVVq+UkIEP9N+n+HpZRxUfaQ5+QV7:rb48BwZzLdvGVQ+IEin+BxUfn5+u7
Threatray 85 similar samples on MalwareBazaar
TLSH B0D46BC7E7D08951C52522B68673C71406D2EF452273D32AEA2F72E31EB37393856AC6
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53583/
Detection(s):
SecuriteInfo.com.Generic.mg.fcf037a887e9e267.3336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/455560
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Disables Windows Defender (via service or powershell)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280178 Sample: QtSXXiIk2T.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 64 35 Multi AV Scanner detection for submitted file 2->35 37 .NET source code contains method to dynamically call methods (often used by packers) 2->37 39 Machine Learning detection for sample 2->39 41 2 other signatures 2->41 7 QtSXXiIk2T.exe 1 3 2->7         started        process3 signatures4 43 Disables Windows Defender (via service or powershell) 7->43 10 powershell.exe 25 7->10         started        12 powershell.exe 23 7->12         started        14 powershell.exe 24 7->14         started        16 10 other processes 7->16 process5 dnsIp6 19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        33 192.168.2.1 unknown unknown 16->33 25 conhost.exe 16->25         started        27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        31 6 other processes 16->31 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 13:33:05 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
305d2dc35b0ce0040b0223e8fb187e04ac7c36e99ad620a7b824035183a2ccea
34cbecb7d69d17b347da77599976058e0a02a9930a085d1a5b98505fdfb77a46
383e589441b2d47da8108e096dcbef6501935e91f248158a624bed91fef1524c
7e9b9bbb673e25ab8ee790dbfd2a3e489c0d3a88ab73aafe671f68982f1b41da
8025c16aa7b7e0d0dfe71e8f627c287ebefc935a6b65cf180409f36633626277
8a0212846806b7a822b1275aa4421addc9914c4a988fc0ac6458a48dd99ff50d
c721b0763a2f11e043a9f309937f65e16e9a27f42e103ab45252c83727415367
d047df658498dd43b18f3adaa2775c42d1103a0c211eb52ff1e312c9f2784149
e0035aa03440db1460ee92e59d384ed20dce147a7f62c846c486da9decac4b28
fcbe71082a3592c66d1c16e331ee3af753087b46c63a118cab63cc5869e65b9a
+ 75 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200831-gg36yfnnne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Windows security modification
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446428/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/447390/
Cape
Cape
https://www.capesandbox.com/analysis/53583/

Comments