MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9
SHA3-384 hash:	6e54fc310aed4f9e7edaea835495464ff794ca06d43939ed467e3aa51623abf4354dd2e7af6683287bafe3e968137146
SHA1 hash:	2a8c19bebb5682a5c44670579927c5a9e0496013
MD5 hash:	04856c5639aa9f826267dfa59cd10674
humanhash:	august-twelve-blossom-king
File name:	IMG-20240222-WA0046.exe
Download:	download sample
File size:	1'897'472 bytes
First seen:	2024-02-29 09:26:23 UTC
Last seen:	2024-02-29 13:53:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	49152:jVg5tQ7aEA8kQZod+L2L+bE0j6UjhuyF2i5:5g561pZO+H+U
Threatray	1'297 similar samples on MalwareBazaar
TLSH	T19695D0E2638D8264C6B35173B936B753AD7B741D0DA4B41F2FD42E2EBD21312411BAA3
TrID	68.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 12.5% (.EXE) Win64 Executable (generic) (10523/12/4) 6.0% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.4% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter	lowmal3
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

318

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

autoit fingerprint keylogger lolbin packed shell32

Link:

https://www.filescan.io/uploads/65e04de8d529a676e565f94f/reports/171c66de-911c-4522-8d2d-2ef9e3e73e19/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c22704a9-fc63-45c3-8da8-7b9d6413adaf

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1400791

Signature

Binary is likely a compiled AutoIt script file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9/

Threat name:

Win32.Worm.DorkBot

Status:

Malicious

First seen:

2024-02-29 02:15:23 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hkoj25kzsbb4tqmetqiyl5e3ycw4duxpzwmjrc37zeuuzjkethmq._file

Verdict:

malicious

1edf8c6bcf0ae2b38e9e28bcb1fd838c2ea35b5b126e4bc9e42daa2e1e722298

4f51da0a7034a3b491bf21d56896d2cc97f5f240911abfaeacfe73d80bd84a34

a500f27709fb009950d25abae11f25c6e8e0205d15931530467ecfb342a661ad

a9da529f0ad9088cec7e9441a7081084f417655533998caa004597a1bc6ef262

af076d38fb1a0fe805a6a835aefa72a1eaa827bb0421dcc91bd2e6153469d60d

d461810943d78b803fbc9a0ea85d16325af10764243d7d3d6b7b24d52efe685c

dfeb957fc25e4102bf74a28e214d8ad5488d85b552824e0cd1f3c856f3a62acc

f32d1725c917672afcea8f55889bd90ad5199f7d40b7656dba7e365f7df4b79c

fe52c98bfa1f03fa429f4044d5e5bfc3cfd4a571a0f6d37e955397cf583cace5

+ 1'287 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/240229-lerkxace6y/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

AutoIT Executable

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9

MD5 hash:

04856c5639aa9f826267dfa59cd10674

SHA1 hash:

2a8c19bebb5682a5c44670579927c5a9e0496013

Detections:

AutoIT_Compiled

Link:

https://www.unpac.me/results/3456cc9f-e9f9-44bc-b748-c702a0a034e8/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3a9c9d755990/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	YahLover Create hunting rule
Author:	Kevin Falcoz
Description:	YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

tar 941de590c85079b747854a6530398522e1acf019fc15be2e7a15e5c1c60a9e9b

exe 3a9c9d75599043c9c1849c1185f49bc0adc1d2efcd98988b7fc9294ca54499d9

(this sample)

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 941de590c85079b747854a6530398522e1acf019fc15be2e7a15e5c1c60a9e9b

Dropped by

MD5 f2bfd0d790d42474249a187c766db8a9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample