MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a
SHA3-384 hash:	4e2d2a84babec075bcc43a447b4f3332138e5edab95b046a782463b3012ca461960b358733ca12dfed892ed3fcf6b05a
SHA1 hash:	8197e6e087568ce455cfea832f9b5318cd8f4656
MD5 hash:	496d52974a2b46f70f155b696814ad38
humanhash:	music-high-december-hamper
File name:	SecuriteInfo.com.Variant.Marsilia.29066.692.14798
Download:	download sample
File size:	555'520 bytes
First seen:	2023-03-23 21:31:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:jWonrSWGOnKLDWqVnbijCwSFnT/uRlomeUfnGIh2qnXttukB:CzWXnKLCq1bsGFT/u1pflcqfuk
Threatray	2'046 similar samples on MalwareBazaar
TLSH	T1E4C423B1BBDCC561C2065E709E958217586322092A9705F3FC1156CFAABAFD739CF3A0
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

227

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Marsilia.29066.692.14798

Verdict:

Suspicious activity

Analysis date:

2023-03-23 21:34:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/db8a9ff3-060e-4d3a-8341-806ac293a3e6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/376937/

Detection(s):

SecuriteInfo.com.Variant.Marsilia.29066.692.14798.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Creating a window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

comodo formbook packed remcos

Link:

https://www.filescan.io/uploads/641cc5556ed02dd52de523ed/reports/002b3c54-0e88-4a54-8b6f-935147d99a7e/overview

Verdict:

Malicious

Labled as:

Marsilia.Generic

Link:

https://www.hybrid-analysis.com/sample/3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc023e49-3968-4b36-be4c-e4dc1e96498a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1200830

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a/

Threat name:

ByteCode-MSIL.Trojan.Marsilia

Status:

Malicious

First seen:

2023-03-21 05:39:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hndc6tnqi4mgn3qydwkehea35kcy3vgpox7pixgkrkye3umx5ffa._file

Verdict:

malicious

62c22196418123be9af8ab9c5a0d6ceac9b966b8ac5c241fa2f59fe64f3dbf50

65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad

6b58715b6f88fa91e2fb481b8640ff8579023e5d586b2964fbeac6f5ec63d5f8

6e0a7c7256246dfec4aeeebbfe2e1bf9d1a677a8688017fcf08748aee3ed52b3

841c1860b52b3817eed70e4d1f1bca972f0406e666bd8d034735fe70cc713831

91317464f677d1408e609d2296203b84cebed70ebc9aec92b51734c52db5bb32

cdda25e04fe115e6096cda6bcd6c8d9176ef5e6b6a7a52019aa58e938493413e

+ 2'036 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/230323-1dl2cscc5v/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Unpacked files

SH256 hash:

79c0464e69727027b80c0cdcb5f77b9c864c6157430b43f2600c081078b8ee1d

MD5 hash:

99427f0042e784545831c56f2ec0e94b

SHA1 hash:

fb6c35027f8560ff99f2e360564103aa3e4691a5

Link:

https://www.unpac.me/results/ced0c79b-83db-4950-81a4-d70c5201e474/

SH256 hash:

6b77e2bfff019609c509c3e559c6870dbb7e8d8b9979affb98440e079c99e354

MD5 hash:

958e4d62824c29a594256646c3d6bbf9

SHA1 hash:

e2f2004a3932381c8e70ecde39a129f0f6add9b0

Link:

https://www.unpac.me/results/ced0c79b-83db-4950-81a4-d70c5201e474/

SH256 hash:

49bbd6995318d018d4a5ff64c9786ff6b29cceaeaf32e158d443261edaf9b963

MD5 hash:

45fd50533b1682e6dfe6e55331ab8df6

SHA1 hash:

308bb5d6fee9790c2d1e2c4cda4679088db89307

Link:

https://www.unpac.me/results/ced0c79b-83db-4950-81a4-d70c5201e474/

SH256 hash:

3b462f4db0471866ee181d9443901bea858dd4cf75fef45cca8ab04dd197e94a

MD5 hash:

496d52974a2b46f70f155b696814ad38

SHA1 hash:

8197e6e087568ce455cfea832f9b5318cd8f4656

Link:

https://www.unpac.me/results/ced0c79b-83db-4950-81a4-d70c5201e474/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/376937/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample