MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
SHA3-384 hash: 633e4b1f53b96f39cdd0315bc133dffcb5c2996588324e144705e3d89e3f71d0cb837ef34bd09aa1a3f44711c69c7cc5
SHA1 hash: 34e1ab44835c41e7f17b6729bbd008b6c3e9afe5
MD5 hash: b19b78b10092d1ac185bc35faf8c6efd
humanhash: oregon-oven-oregon-hamper
File name:b19b78b10092d1ac185bc35faf8c6efd
Download: download sample
File size:1'748'225 bytes
First seen:2024-01-01 04:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 49152:pl+AMVeJGC3hwJZ7a07xznKMj5RyX2sqq3BB:pIAMV+Ga+xznKMj58Z53BB
Threatray 4 similar samples on MalwareBazaar
TLSH T19885333846EA6C09F0514578AD305325E89ADD1CA11EEFE68164BFF942B39ED332E253
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
402
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-10017861-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Modifying a system file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65923b587d4bdb7f8b0227bf/reports/d05f68bb-58d3-4bd2-978d-e09af0344e0f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96191140-fa40-4f62-8c75-6a6443ca60bf
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1368474
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368474 Sample: pD7iCRr3Pz.exe Startdate: 01/01/2024 Architecture: WINDOWS Score: 64 98 su.eda1.ru 2->98 102 Multi AV Scanner detection for dropped file 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 .NET source code contains potential unpacker 2->106 108 Machine Learning detection for sample 2->108 15 KKMAgent.exe 15 29 2->15         started        19 pD7iCRr3Pz.exe 6 69 2->19         started        21 KKMAgent.exe 1 2->21         started        signatures3 process4 dnsIp5 100 su.eda1.ru 213.189.216.94, 443, 49733, 49735 INTERNET-PRO-ASRU Russian Federation 15->100 56 C:\Users\user\AppData\Local\...\tmp7617.tmp, PE32 15->56 dropped 58 C:\Users\user\AppData\...\kkm.exe (copy), PE32 15->58 dropped 23 kkm.exe 34 15->23         started        60 C:\Users\user\AppData\...\uninstall.exe, PE32 19->60 dropped 62 C:\Users\user\AppData\Roaming\...\TSCLIB.dll, PE32 19->62 dropped 64 C:\...\System.Threading.Tasks.Extensions.dll, PE32 19->64 dropped 66 18 other files (14 malicious) 19->66 dropped file6 process7 file8 82 C:\Users\user\AppData\Roaming\...\QRCoder.dll, PE32 23->82 dropped 84 C:\Users\user\AppData\Roaming\...\KKMLib.dll, PE32 23->84 dropped 86 C:\Users\user\AppData\...\HtmlAgilityPack.dll, PE32 23->86 dropped 88 2 other files (none is malicious) 23->88 dropped 26 KKMAgent.exe 20 23->26         started        process9 file10 90 C:\Users\user\AppData\Local\...\tmp9F3A.tmp, PE32 26->90 dropped 29 kkm.exe 26->29         started        process11 file12 96 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 29->96 dropped 32 KKMAgent.exe 29->32         started        process13 file14 68 C:\Users\user\AppData\Local\...\tmpC020.tmp, PE32 32->68 dropped 35 kkm.exe 32->35         started        process15 file16 74 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 35->74 dropped 38 KKMAgent.exe 35->38         started        41 KKMAgent.exe 35->41         started        process17 file18 78 C:\Users\user\AppData\Local\...\tmp7F3A.tmp, PE32 38->78 dropped 43 kkm.exe 38->43         started        80 C:\Users\user\AppData\Local\...\tmpF6EF.tmp, PE32 41->80 dropped 46 kkm.exe 41->46         started        process19 file20 92 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 43->92 dropped 48 KKMAgent.exe 43->48         started        94 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 46->94 dropped 51 KKMAgent.exe 46->51         started        process21 file22 70 C:\Users\user\AppData\Local\...\tmpA32D.tmp, PE32 48->70 dropped 72 C:\Users\user\AppData\Local\...\tmp37C1.tmp, PE32 51->72 dropped 53 kkm.exe 51->53         started        process23 file24 76 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 53->76 dropped
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be/
Threat name:
Win32.Downloader.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-01 04:11:10 UTC
File Type:
PE (Exe)
Extracted files:
209
AV detection:
7 of 22 (31.82%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g24c6pnu4sy5uuzfftypthwpvml2bgzjpa7hzgeb6sh6lwtgiw7a._file
Verdict:
unknown
Similar samples:
0eb49cae715e2f31551ea4afa64045540ed77ab891ba1864660b74af64a16971
1f0c96d7ee0d9664c0085394604a9137abc292a52c871f4bc3b5245627961573
36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/240101-erx5wsead9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Unpacked files
SH256 hash:
36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be
MD5 hash:
b19b78b10092d1ac185bc35faf8c6efd
SHA1 hash:
34e1ab44835c41e7f17b6729bbd008b6c3e9afe5
Link:
https://www.unpac.me/results/6aaf6e43-df77-4775-a5c7-423c0283ef87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 36b82f3db4e4b1da53252cf0f99ecfab17a09b29783e7c9881f48fe5da6645be

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2745591/

Comments


Avatar
zbet commented on 2024-01-01 04:11:01 UTC

url : hxxp://su.eda1.ru/dist/kkm/kkm_new.exe