MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676
SHA3-384 hash: ef0965b972a836b42427a2d7e05f503d5a94bc08abd15fd47658a1c1980f5ad8b18a7f0ad6d7850d73371d23c4fc91fc
SHA1 hash: c2204d44dff2bf38fa1a3a5e858c57d9b7fcc8e6
MD5 hash: c79c953d58f1b8f3a71ee1392d91955a
humanhash: twenty-snake-beer-lamp
File name:c79c953d58f1b8f3a71ee1392d91955a
Download: download sample
File size:1'537'024 bytes
First seen:2022-06-06 06:01:09 UTC
Last seen:2022-06-06 06:40:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:gx0vtufKPsjpkbPwdnITPkGr9HtTwkpXDvASps9ojoU6ISv3OvSJ9QFQfrXu:gm7hzwdcsGttTwsUA0cSPaQf
Threatray 19 similar samples on MalwareBazaar
TLSH T18E65AE62F9C2C1B2FDD515BA82FE2B371F394506632984E776C419E09AA10E275BF343
TrID 62.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
23.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
4.1% (.SCR) Windows screen saver (13101/52/3)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
332
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c79c953d58f1b8f3a71ee1392d91955a
Verdict:
Malicious activity
Analysis date:
2022-06-06 06:03:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73383dd9-84d5-420d-a285-02a4e8948570

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276878/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader44.62979.12154.2604.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed snake
Link:
https://www.filescan.io/uploads/629d985b4c4e28fcf3b85e80/reports/c3185c87-5056-4c5c-99ba-b929130b25a3/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/777c1fcc-bbe1-45cc-a57c-f43730623e89
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1007095
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676/
Threat name:
ByteCode-MSIL.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2022-06-04 02:45:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hwt5ztaosldtetpka7prboutrxjb6rbw5g4n2iciqul3l37woz3a._file
Verdict:
malicious
Similar samples:
079871499bdc91b180fcd73f10d7db76fcabbbdd29017ad0f8fe82f5c18b39a8
0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
775ab7ffed2631864bc91813bd21153746938d4bc1045038a02da5d7fa4a5216
8ae291c9a45bfe7bf3548ff2ed9f5221adf42810bcd7eca100dccb475a4b99be
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
f297f0a8651e14cf884331bc4ae10c238a6c79385741e507dc7df7c88b85beb8
f937bbe27c6d52452a121bc9aa320c26ae7eada7cadc9dda0fafc2c6b1bd5818
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/220606-grflysece6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c78a2de3a140309250a1c7ee8c3c853fa77d29293e3cabad66a89e66bc63e64d
MD5 hash:
31f54131ede7cdad1cfaea0b52551b25
SHA1 hash:
945c8b871bb7121546e69d9e270fc59c57be42f9
Link:
https://www.unpac.me/results/d34788a3-1999-40ff-9e02-32ad56b454ce/
SH256 hash:
d9a6f005ed59a855f1d22842a7ea044738ebb529907c5da357c790de8e35a075
MD5 hash:
1e2222a4791e32e949477a230886f581
SHA1 hash:
7a7555b48a4114b8ea804cefe919da586be81323
Link:
https://www.unpac.me/results/d34788a3-1999-40ff-9e02-32ad56b454ce/
SH256 hash:
3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676
MD5 hash:
c79c953d58f1b8f3a71ee1392d91955a
SHA1 hash:
c2204d44dff2bf38fa1a3a5e858c57d9b7fcc8e6
Link:
https://www.unpac.me/results/d34788a3-1999-40ff-9e02-32ad56b454ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2226842/
Cape
Cape
https://www.capesandbox.com/analysis/276878/

Comments


Avatar
zbet commented on 2022-06-06 06:01:15 UTC

url : hxxp://russk21.icu/ex.exe