MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05
SHA3-384 hash: ba453b48b38ad9fc62434f41a6f7da64f226e4e587cf1521420dd50bea4fa127d4a5c43518772f52c0fb9a774c92d578
SHA1 hash: ababab5a6b495a9598aeaec0233f0d1aa1b611a6
MD5 hash: 3e2c1ae2203bcd60588a7585ae7abe88
humanhash: india-april-sierra-network
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.60993.15327.12025
Download: download sample
File size:901'120 bytes
First seen:2021-01-04 16:47:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:TQyvOmt/sLxZZbIusIjxXCx1x6jdRbYubxGuJ/eAsM4l2Tp:kyvOmt/sLxQuPCalYubxG0Jf
Threatray 8 similar samples on MalwareBazaar
TLSH F2154A20B2B0DDF7F553023138247188297EA28762C9920EAA377AD45377B71F5DCE66
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Keygen.exe
Verdict:
Malicious activity
Analysis date:
2021-01-04 11:34:45 UTC
Tags:
trojan rat azorult stealer raccoon remcos
Link:
https://app.any.run/tasks/744e65fa-cd08-45d1-83cf-dc847f46ebea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110445/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60993.15327.12025.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/573558
Signature
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335840 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 04/01/2021 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AntiVM_3 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->43 45 Disables Windows Defender (via service or powershell) 2->45 8 SecuriteInfo.com.Trojan.PWS.Siggen2.60993.15327.exe 3 2->8         started        process3 file4 37 SecuriteInfo.com.T...60993.15327.exe.log, ASCII 8->37 dropped 47 Injects a PE file into a foreign processes 8->47 12 SecuriteInfo.com.Trojan.PWS.Siggen2.60993.15327.exe 1 1 8->12         started        signatures5 process6 signatures7 49 Disables Windows Defender (via service or powershell) 12->49 15 powershell.exe 24 12->15         started        17 powershell.exe 8 12->17         started        19 powershell.exe 8 12->19         started        21 10 other processes 12->21 process8 process9 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 5 other processes 21->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-04 16:48:08 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
0b2d09d8e19e018c6f927ca3d8d21dbd467cd66dd6f66dc969f15ca47dab3935
12f2ee1cc6d06299b1a044cae83201d6550122a5e4ea1b3211415aba57059f14
39e866b9998243e9107cabc7329774e0d6413ada36814d7ebbd93a3235a82390
72e1047dc517256cd82e774100a7d81b1a35c3449f4eb34f310b770679d430b5
904f9d09f6729501708bff5b7d690e25a69025f4a2ae207996db9f97670d0748
af4df90789a38930e17df309cb35d20e61e9c3ceacc1935718e4958eb05fbced
deb5aeda39ad04b441ddbca22caa3a35e572483cc56e6a095b951342e716d6f6
e3154d853187b18659c637d16cb0a1fdd48c1bfa53c5d39aa11e1ed3db471dbd
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210104-6zbs6ksfc6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05
MD5 hash:
3e2c1ae2203bcd60588a7585ae7abe88
SHA1 hash:
ababab5a6b495a9598aeaec0233f0d1aa1b611a6
Link:
https://www.unpac.me/results/acdf4f21-94c3-4911-ac7a-efc6bde71479/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/acdf4f21-94c3-4911-ac7a-efc6bde71479/
SH256 hash:
3bb3ef934f36ef1ba3eda28372d9c2126855dbf900a2501652c93571d97726a0
MD5 hash:
cad0d7233a4eb842d005b2bda705e846
SHA1 hash:
b49ca0be1a774ebbae502eabb18e1e66a8a8ee09
Link:
https://www.unpac.me/results/acdf4f21-94c3-4911-ac7a-efc6bde71479/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/acdf4f21-94c3-4911-ac7a-efc6bde71479/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3905f8d441908527f02140c7e2b9939978d824485dba4fa15ebe247d42385f05

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948785/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110445/

Comments