MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
SHA3-384 hash: 3616a9d32d431976c5f6a9c6682168a9414291ee8fb9d91c2489196f094b7ef728f1fdef302a80c5b0b762bf58bddcad
SHA1 hash: edc26e8f7c2d10b15a476a34eccc52dcfef61577
MD5 hash: 8fc65757011f067d0f35d6d4655e75d1
humanhash: lamp-whiskey-bluebird-lion
File name:8fc65757011f067d0f35d6d4655e75d1.exe
Download: download sample
File size:7'124'272 bytes
First seen:2021-03-17 08:24:08 UTC
Last seen:2021-03-17 10:43:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:2E74gY2/72/H/B7/qBonrQnOBbjuD5Ofwm8F/BraAMpVKWiQTbXl3RDpgSK7Cf/W:
Threatray 64 similar samples on MalwareBazaar
TLSH A876FF442F7309CCBBBA21760CABE1C8A2BA5514B6EF792459ADD2479873405930FF73
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8fc65757011f067d0f35d6d4655e75d1.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 08:35:14 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/bb2232c7-9dc3-4b06-918d-5b8949726f7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.531.5952.10242.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Launching cmd.exe command interpreter
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
69 / 100
Link:
https://www.joesandbox.com/analysis/641939
Signature
.NET source code contains very large array initializations
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369945 Sample: xARcpdYdew.exe Startdate: 17/03/2021 Architecture: WINDOWS Score: 69 74 Multi AV Scanner detection for submitted file 2->74 76 Sigma detected: Drops script at startup location 2->76 78 .NET source code contains very large array initializations 2->78 80 2 other signatures 2->80 11 xARcpdYdew.exe 3 2->11         started        15 wscript.exe 2->15         started        17 rundll32.exe 2->17         started        process3 file4 56 C:\Users\user\AppData\...\xARcpdYdew.exe.log, ASCII 11->56 dropped 96 Injects a PE file into a foreign processes 11->96 19 xARcpdYdew.exe 1 6 11->19         started        signatures5 process6 process7 21 cmd.exe 1 19->21         started        23 cmd.exe 1 19->23         started        signatures8 26 cmd.exe 2 21->26         started        29 conhost.exe 21->29         started        31 certutil.exe 2 21->31         started        84 Submitted sample is a known malware sample 23->84 86 Obfuscated command line found 23->86 88 Uses ping.exe to sleep 23->88 90 Uses ping.exe to check the status of other devices and networks 23->90 33 conhost.exe 23->33         started        process9 signatures10 92 Obfuscated command line found 26->92 94 Uses ping.exe to sleep 26->94 35 Lume.com 26->35         started        38 PING.EXE 1 26->38         started        41 findstr.exe 1 26->41         started        44 certutil.exe 2 26->44         started        process11 dnsIp12 82 Drops PE files with a suspicious file extension 35->82 46 Lume.com 7 35->46         started        66 127.0.0.1 unknown unknown 38->66 54 C:\Users\user\AppData\Local\Temp\...\Lume.com, Targa 41->54 dropped file13 signatures14 process15 dnsIp16 68 VMBhvxreQIjliyC.VMBhvxreQIjliyC 46->68 58 C:\Users\user\AppData\...\DPBqnlFAiu.com, PE32 46->58 dropped 60 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 46->60 dropped 62 C:\Users\user\AppData\...\DPBqnlFAiu.url, MS 46->62 dropped 70 Writes to foreign memory regions 46->70 72 Injects a PE file into a foreign processes 46->72 51 RegAsm.exe 2 46->51         started        file17 signatures18 process19 dnsIp20 64 45.139.236.102, 228 TEAM-HOSTASRU Russian Federation 51->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 08:25:09 UTC
AV detection:
20 of 47 (42.55%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
dbeb99d2b3f5ab13560c96f80ee6153f909f64aac45d4ad56e2468320430acd3
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210317-vk9qzthr52/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cadf721e2a978e16d976cb303bada887327fc7354450938f58d52e5a3a659e1d
MD5 hash:
fae3cbb40627f9179eda1f3fb606ba6b
SHA1 hash:
889b26d8806c52ba94353a66962300f6adea2288
Link:
https://www.unpac.me/results/7f899394-5242-4c41-8ddb-4974e1c44c53/
SH256 hash:
328dce5814c6e7f6b7d027b76f2c1d38333a43248c962ca50c3a7de6e0bb4a60
MD5 hash:
50d972c97a0c3850c21dcdf567e85253
SHA1 hash:
9d3d1292dd8e0109b8cfc9eee9392a268fff2cf3
Link:
https://www.unpac.me/results/7f899394-5242-4c41-8ddb-4974e1c44c53/
SH256 hash:
d3c16112a56249d394c34134e71a6860fba98098f013a84557ba6159e18973d8
MD5 hash:
826f97c7a24ccc418601f78c35ea1f8b
SHA1 hash:
a23ac15198ead14b2040f248ce0335561f65d133
Link:
https://www.unpac.me/results/7f899394-5242-4c41-8ddb-4974e1c44c53/
SH256 hash:
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
MD5 hash:
8fc65757011f067d0f35d6d4655e75d1
SHA1 hash:
edc26e8f7c2d10b15a476a34eccc52dcfef61577
Link:
https://www.unpac.me/results/7f899394-5242-4c41-8ddb-4974e1c44c53/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.17
Link:
https://yomi.yoroi.company/submissions/3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1072579/
  
Delivery method
Distributed via web download

Comments