MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71
SHA3-384 hash:	41aa7ec622b752699d0a89c44ad1270f4905df2a0810e6cc5f7688704c46ca00a9c6424d05c8aa1532628aba53d7f9a5
SHA1 hash:	aec819c8c0c185b24dc74cc19dbb11f4ad22d00e
MD5 hash:	92e7df04c1471b10937068b2ae7b47e2
humanhash:	rugby-early-one-emma
File name:	92e7df04c1471b10937068b2ae7b47e2.exe
Download:	download sample
File size:	166'912 bytes
First seen:	2022-01-01 17:52:40 UTC
Last seen:	2022-01-01 19:37:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:g6wsatjMVqRmJyGrXnw0Zz9EbuJL2/5ipGlXnHyJBA8lPqBohiVVHyrK:JvatSqRayG6aL+0Jrqfym
Threatray	424 similar samples on MalwareBazaar
TLSH	T1F1F39D0237A8DF26EABA9BF55422208053B2755B2637E3488DC774DB25F6B200B52F57
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

234

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://transfer.sh/get/HvaX2c/123.exe

Verdict:

Malicious activity

Analysis date:

2021-12-31 22:05:49 UTC

Tags:

trojan rat redline

Link:

https://app.any.run/tasks/f521b468-9b6e-46c1-ab2e-a75f578c7c19

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/217020/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.23506.16063.12084.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Сreating synchronization primitives

Sending a custom TCP request

Sending an HTTP GET request

Creating a file

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/61d095018991ba72b3a46641/reports/d1b3a8ed-b879-4d23-aa49-9eeb384ff859/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/99a69410-07ba-4102-92fe-49305004c1ee

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/914500

Signature

.NET source code contains potential unpacker

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-01-01 17:53:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Verdict:

malicious

264b1ca9df86f0d722b98b6aebc1be86d4c342747b709113a4eca4d68fc0dbdc

2c7756ea23a40db1be39e11f74818899f046306bb8fedfb4a7bc004df565a18a

328373a397ca0334ad32e1932b8d9455a40e6efb4c4d1006c9d2cf6b4d6140b6

4c6f60ba070864a86dceaa5785b1dceb395cbe4667b9c539bc0675411b4e16a9

5f302c2acf2e8eff09c342daa20e4ec3659f1bcbf09755682f24da0b96b869a8

72146e890efa1de6ee90e445ceb11ad9dc3b053fa5e82757756a393ee4617a77

8dfade8dc8eae27c0d0b48b95fdc4353c87e9172eeb392844b341f88c154089d

b469963d4507cd2bf3073abee59a88cd2bf0bbbd9b1a3138d4ef7b76860e1617

+ 414 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220101-wga12shhc7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

83407464d2eb5be1d9ca7b840b52c5c7ccfc1ae2603d7a7d757b824f4613a2a8

MD5 hash:

6d9a7c94b1338a7b91bb9dcec656a913

SHA1 hash:

15bb699ffc8a2c9879e3dc6c7a9c23eac921a109

Link:

https://www.unpac.me/results/862c321c-078a-4065-a553-25ca37a5c015/

SH256 hash:

36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71

MD5 hash:

92e7df04c1471b10937068b2ae7b47e2

SHA1 hash:

aec819c8c0c185b24dc74cc19dbb11f4ad22d00e

Link:

https://www.unpac.me/results/862c321c-078a-4065-a553-25ca37a5c015/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

iSpy Keylogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 36c02360973d05a737eb4fa2c045ac2e7ddeb771d4e9bd41448f4c5742e63b71

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1939649/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/217020/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample