MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343
SHA3-384 hash: 5cd604bca73f3e46da1aa089051e0af76cfb588bd1ba2e17cd82e5d49d41e49a8b3f0c94fa7b2083e9f18ba2dad0348a
SHA1 hash: 2680a6c5db29e0cf2e9f2d3998160037b9cb9da7
MD5 hash: 043857927ef282a798f2d188c3279aec
humanhash: echo-quebec-pennsylvania-nine
File name:PO-2024-8111-DL-B1.exe
Download: download sample
File size:774'656 bytes
First seen:2024-11-20 14:38:58 UTC
Last seen:2024-11-21 10:11:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ef471c0edf1877cd5a881a6a8bf647b9 (67 x Formbook, 33 x Loki, 29 x Loda)
ssdeep 12288:rOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiSOgEAmDhyl/qw8VNnWLu2Cm20XJfP:rq5TfcdHj4fmbRiyIw8NWDn20Z75h0w
TLSH T18CF412B1B04DCDC9FD9623B104B69B2110379E5D9C56960D30EA3F2B7BB33532892D6A
TrID 33.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
33.3% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
13.1% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 68d8d8c8d9a9c1d9 (96 x SnakeKeylogger, 67 x RemcosRAT, 66 x Formbook)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
413
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO-2024-8111-DL-B1.exe
Verdict:
No threats detected
Analysis date:
2024-11-20 14:42:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06cf8a29-ea2a-4411-923d-5c64661d86b3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.Trojan.VORE-2106.1542.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=673df5cbe293c03416fba21d
Tags:
injects autoit virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Launching a process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit compiled-script evasive microsoft_visual_cc packed packed packed packer_detected phishing upx
Link:
https://www.filescan.io/uploads/673df492a99242316c496012/reports/a5f6fece-0700-4df5-b8b9-0dd4dc2ce30d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e4b37414-cddd-4ad2-a079-1e9da2a95cbb
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1559485
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2024-11-20 00:10:43 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gweqbayapeqv5p666vranjfvktqgq7coqe3b5plr5yus3buwknbq._file
Verdict:
malicious
Label(s):
unknown_loader_036
Create hunting rule
autoit
Create hunting rule
Similar samples:
error
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery upx
Link:
https://tria.ge/reports/241120-r1ar6sxgjg/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
AutoIT Executable
Suspicious use of SetThreadContext
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5082afc3-0703-4f98-a93d-8a03d05781d3
Unpacked files
SH256 hash:
4a4fa4d86131e3c7fec9f283a20aec0881bea0c57f306dbc58e8164791bb078d
MD5 hash:
42c8d488187d638f385b6e54b2fcbbd9
SHA1 hash:
f1f862f1fd4447d16b60867d586f033c981b2ee7
Link:
https://www.unpac.me/results/77b5e251-121b-4bc2-9628-b81b27d33833/
SH256 hash:
a584a02164374d00166a586751205d4419d805a17b8a03cbb260b6bed709b4e2
MD5 hash:
6b9b68eecf3b4e6e38112f1e737698ce
SHA1 hash:
c99fa9250ca7f0410c939e0243779c34e61365c3
Link:
https://www.unpac.me/results/77b5e251-121b-4bc2-9628-b81b27d33833/
SH256 hash:
b9fc1c00f7a7d2312214b05f18fbf33ed9ef0a2ad5942efd4a9e5b45d3c27f93
MD5 hash:
dfb551b8702a3dbfcda227fdc4b35e17
SHA1 hash:
e3880851d94113d54f106a93b69870d45c9a9759
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/77b5e251-121b-4bc2-9628-b81b27d33833/
SH256 hash:
358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343
MD5 hash:
043857927ef282a798f2d188c3279aec
SHA1 hash:
2680a6c5db29e0cf2e9f2d3998160037b9cb9da7
Link:
https://www.unpac.me/results/77b5e251-121b-4bc2-9628-b81b27d33833/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 9ffbdb410011e5def7b3d99c93b053472d16cbb4870bf181bc615a88a69647af

Executable exe 358900830079215ebfdef56206a4b554e0687c4e81361ebd71ee292d86965343

(this sample)

  
Dropped by
SHA256 9ffbdb410011e5def7b3d99c93b053472d16cbb4870bf181bc615a88a69647af
  
Dropped by
MD5 cbbf0e2f7b3bb107bc670c2fc07e6c4e
  
Dropped by
SHA256 3f2b5a2d9e34a1cb7521891909d29119f242e58665f8aee2870b1f0329d19ebf
  
Dropped by
MD5 f7d4a43f9726d3154575580a3eea0ad2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments