MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f
SHA3-384 hash: 7bdff9c54d46b859fe7387af7e401c976a4427f0b6578ff6c20ae7e99fc152d61a7a7739e4b938e57cfd7266c9eb4a4a
SHA1 hash: bdebda6c11e8d443f3cd5a9260319939f4dc7701
MD5 hash: 53f3f8405d443555060e64fff3f77a29
humanhash: saturn-oranges-thirteen-fifteen
File name:44509807.exe
Download: download sample
File size:990'921 bytes
First seen:2021-04-29 06:51:44 UTC
Last seen:2021-04-30 07:38:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 24576:7E1Wa9k4x9AzMw6qQu8Vl9Dqbidmb9YA4qxrQNMZNlkeYAt+:7K3ODQu8H9SZYbCrQN80A+
Threatray 4'775 similar samples on MalwareBazaar
TLSH 2F25231D7A20C42AC3342BB2876B31945BFEC69915B903976FE44BCD3B86AD05CCB716
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
StormKitty
Create hunting rule
Link:
https://www.capesandbox.com/analysis/146429/
Detection(s):
SecuriteInfo.com.Gen.Variant.Zusy.379911.13967.7329.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a window
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/703034
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Installs a global keyboard hook
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 400442 Sample: 44509807.exe Startdate: 29/04/2021 Architecture: WINDOWS Score: 100 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 2 other signatures 2->65 8 44509807.exe 1 21 2->8         started        12 aiaf.exe 17 2->12         started        14 aiaf.exe 17 2->14         started        process3 file4 37 C:\Users\user\AppData\Roaming\...\aiaf.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\wfhp2.dll, PE32 8->39 dropped 77 Detected unpacking (changes PE section rights) 8->77 79 Detected unpacking (overwrites its own PE header) 8->79 81 Maps a DLL or memory area into another process 8->81 16 44509807.exe 1 8->16         started        41 C:\Users\user\AppData\Local\...\wfhp2.dll, PE32 12->41 dropped 83 Multi AV Scanner detection for dropped file 12->83 19 aiaf.exe 12->19         started        43 C:\Users\user\AppData\Local\...\wfhp2.dll, PE32 14->43 dropped 21 aiaf.exe 14->21         started        signatures5 process6 signatures7 55 Sample uses process hollowing technique 16->55 57 Installs a global keyboard hook 16->57 23 AppLaunch.exe 15 3 16->23         started        27 AppLaunch.exe 2 16->27         started        29 AppLaunch.exe 19->29         started        31 AppLaunch.exe 19->31         started        process8 dnsIp9 45 229.116.3.0.in-addr.arpa 23->45 47 api.mylnikov.org 104.21.9.139, 443, 49717, 49756 CLOUDFLARENETUS United States 23->47 49 icanhazip.com 104.22.19.188, 49715, 49755, 80 CLOUDFLARENETUS United States 23->49 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 23->67 69 May check the online IP address of the machine 23->69 71 Tries to steal Instant Messenger accounts or passwords 23->71 51 229.116.3.0.in-addr.arpa 27->51 53 192.168.2.1 unknown unknown 27->53 73 Tries to steal Mail credentials (via file access) 27->73 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75 33 WerFault.exe 29->33         started        35 WerFault.exe 31->35         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 06:52:19 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hkt76n4w753ywb4sxvu3t6fkbsyj6ez6ifitj6c4rxixjshihaxq._file
Verdict:
unknown
Similar samples:
01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
8e122a7da836e05e954001c5f6e2209aa5e0835ea7af0e08e324e538a075f364
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
d171f74f5d0cb8a469db9262869b3798ae0ed18098b4017207ff7f6e69fcd07a
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
e6678504db885f9146a19df19cf75d3db24776c247c3eabca6f6160f57f5d68e
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952
+ 4'765 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/210429-5brjnte27a/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads local data of messenger clients
Unpacked files
SH256 hash:
22e6a55fb30a124234d9ea17afa2ffcf5611e0fae051765cb2914d033d80102a
MD5 hash:
7fee296cfd460255e60a9553c010a579
SHA1 hash:
709f1c3111b02444203d1c19e99f11195b1a72ec
Link:
https://www.unpac.me/results/634dffc4-fee0-4d9c-9e41-dc2609505da8/
SH256 hash:
3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f
MD5 hash:
53f3f8405d443555060e64fff3f77a29
SHA1 hash:
bdebda6c11e8d443f3cd5a9260319939f4dc7701
Link:
https://www.unpac.me/results/634dffc4-fee0-4d9c-9e41-dc2609505da8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3aa7ff3796ff778b0792bd69b9f8aa0cb09f133e415134f85c8dd174c8e8382f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/146429/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 07:07:24 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.001] Data Micro-objective::CRC32::Checksum
1) [C0026.002] Data Micro-objective::XOR::Encode Data
4) [C0046] File System Micro-objective::Create Directory
5) [C0048] File System Micro-objective::Delete Directory
6) [C0047] File System Micro-objective::Delete File
7) [C0049] File System Micro-objective::Get File Attributes
8) [C0051] File System Micro-objective::Read File
9) [C0050] File System Micro-objective::Set File Attributes
10) [C0052] File System Micro-objective::Writes File
11) [E1510] Impact::Clipboard Modification
12) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
13) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
14) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
15) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
16) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
17) [C0017] Process Micro-objective::Create Process
18) [C0038] Process Micro-objective::Create Thread