MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816
SHA3-384 hash: 66eb6d7d3265482c8592121553853704f516381f4e1d803213429a821a4c08c4af59a90298274cb5f72bd65b5e72a6be
SHA1 hash: b29c44e7aec0952a82af00ee1e7e00d4c53f4626
MD5 hash: 999be7fe0fcff066def3cd9d289eaf30
humanhash: twenty-nitrogen-juliet-london
File name:PO.exe
Download: download sample
File size:450'790 bytes
First seen:2023-02-23 09:26:38 UTC
Last seen:2023-02-23 11:28:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 427 x GuLoader)
ssdeep 12288:vYfiBzGrP4IqLpsCJutnd+3br6vUzJvS97GV47afP5:vYf1ATutd+3bWAJvA7m4q5
Threatray 12 similar samples on MalwareBazaar
TLSH T13BA423202CB0E46BD9235B72DEB9776B5BF1F5783166C96323255E787210688CA3F342
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 09:29:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d312c831-6b8f-4af8-b6ec-662ebf7ea84f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369236/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.24.2949.27684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Searching for the window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63f7316842bf85850e43a671/reports/d94f6cf3-78c0-4e7f-8d47-1196ccd9a1c0/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/622fae1e-e114-4d81-98ca-6f2d53be6a74
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1181178
Signature
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 814007 Sample: PO.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 88 56 Multi AV Scanner detection for submitted file 2->56 58 Yara detected Generic Dropper 2->58 60 Machine Learning detection for sample 2->60 7 PO.exe 19 2->7         started        10 ktpyienw.exe 1 2->10         started        13 ktpyienw.exe 1 2->13         started        process3 file4 38 C:\Users\user\AppData\...\wsczuscqce.exe, PE32 7->38 dropped 15 wsczuscqce.exe 1 3 7->15         started        62 Multi AV Scanner detection for dropped file 10->62 64 Machine Learning detection for dropped file 10->64 19 WerFault.exe 3 10 10->19         started        21 conhost.exe 10->21         started        23 WerFault.exe 10 13->23         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 40 C:\Users\user\AppData\...\ktpyienw.exe, PE32 15->40 dropped 48 Multi AV Scanner detection for dropped file 15->48 50 Machine Learning detection for dropped file 15->50 52 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->52 54 2 other signatures 15->54 28 wsczuscqce.exe 8 15->28         started        32 conhost.exe 15->32         started        34 wsczuscqce.exe 15->34         started        36 2 other processes 15->36 42 192.168.2.1 unknown unknown 23->42 file8 signatures9 process10 dnsIp11 44 mail.esmenda.com 28->44 46 esmenda.com 216.218.206.54, 49723, 49727, 49728 CENTRALUTAHUS United States 28->46 66 Tries to harvest and steal browser information (history, passwords, etc) 28->66 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 09:27:07 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 25 (92.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hqikeyymy5ljgkdbigjpy7tp5knrl7e2nvlpqr7p7bqluxvblala._file
Verdict:
malicious
Similar samples:
0b4b90f2171053a18787c0e435375f0389de6da5d8b87e502529d20bf50d1389
0bd6d3905b8463f23246c3b7953239277f0ffbf0096367ca02dce1cc38cc4e27
0d5d88dc43aa8b58db913ba723acaa6106f2eae2cde854712aed4b1676421d7a
353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
3c703c79f804220c6210cef1c0e98cd7cdce8848e84483b5d371e05f5edf02a5
51a0bb47c795950136c662cb09a2efd39d2d4c1cdd1d16e1430506d3a6160220
90993a3235dc0c8677796ee6e9493b38bf5d1262a80905cb5aab896b28c714f9
b03225ede8b6ce37f12a6999260e06d0274ced375ac52294cae061a50dc61527
cc012015571f75771700164d8e5fe60c7ea9a2f351a698ebce99ef8a2a5f071c
e1ad02b9c0748d0adf302dea6ec50274153644d8d8967d3945944b6c72390fdd
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230223-lerkxafd68/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
6e09b74038b232248427a8afe6c7fc1fd51c0af1db97a25a5d9eda68d5c0b349
MD5 hash:
251b0525a833caf15071963c22154a02
SHA1 hash:
d9fa19750dbf2f17448fcd9daa26393858fb7183
Link:
https://www.unpac.me/results/71a87072-d812-448c-96e9-bcc18fb57f36/
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/71a87072-d812-448c-96e9-bcc18fb57f36/
SH256 hash:
1c43cf72f7823c4a1cb6b75ad029c668579a127706dc0eacc2dd2cd9e0798745
MD5 hash:
dda4c4230a238e215ef581514544d117
SHA1 hash:
688e294dce89b66bb6d103715eb37c0315e7e432
Link:
https://www.unpac.me/results/71a87072-d812-448c-96e9-bcc18fb57f36/
SH256 hash:
3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816
MD5 hash:
999be7fe0fcff066def3cd9d289eaf30
SHA1 hash:
b29c44e7aec0952a82af00ee1e7e00d4c53f4626
Link:
https://www.unpac.me/results/71a87072-d812-448c-96e9-bcc18fb57f36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/369236/

Comments