MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
SHA3-384 hash: b918f03dd0ad417a3f378c49863bba558ee03811e965060536e497476265669be363036e560bb3589bf9a386796038f5
SHA1 hash: 8e1e3fde6c4f79451ee0138a387dbf870ba53e49
MD5 hash: 2e9820ecd1baa3220c65cfede97c119d
humanhash: fish-ohio-xray-butter
File name:2e9820ecd1baa3220c65cfede97c119d.exe
Download: download sample
File size:7'386'112 bytes
First seen:2021-03-17 08:23:30 UTC
Last seen:2021-03-17 10:44:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:qEvaYlFt2R69NYi3gn0qkBR4Sotx55fuwJiF1hn2sW8/EE4gKSvC/9lGgS1bAGqr:U
Threatray 64 similar samples on MalwareBazaar
TLSH 1976D98ADFD765899415276E932187E6B329073ACB6CF4406537F12E7C8730A26CBC39
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2e9820ecd1baa3220c65cfede97c119d.exe
Verdict:
Malicious activity
Analysis date:
2021-03-17 08:42:44 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/885b5832-6e4d-40ed-a0b2-e2ed6d3a60c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.531.21912.2098.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Launching cmd.exe command interpreter
Sending a UDP request
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/641889
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Suspicious Certutil Command
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369918 Sample: cLdJBSHbAd.exe Startdate: 17/03/2021 Architecture: WINDOWS Score: 68 60 Multi AV Scanner detection for submitted file 2->60 62 Sigma detected: Suspicious Certutil Command 2->62 9 cLdJBSHbAd.exe 3 2->9         started        12 rundll32.exe 2->12         started        process3 signatures4 64 Hides threads from debuggers 9->64 14 cmd.exe 1 9->14         started        17 cLdJBSHbAd.exe 1 6 9->17         started        19 WerFault.exe 23 9 9->19         started        22 cLdJBSHbAd.exe 9->22         started        process5 file6 66 Submitted sample is a known malware sample 14->66 68 Obfuscated command line found 14->68 70 Uses ping.exe to sleep 14->70 72 Uses ping.exe to check the status of other devices and networks 14->72 24 conhost.exe 14->24         started        26 timeout.exe 1 14->26         started        28 cmd.exe 1 17->28         started        30 cmd.exe 1 17->30         started        50 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->50 dropped signatures7 process8 process9 32 cmd.exe 2 28->32         started        35 conhost.exe 28->35         started        37 certutil.exe 2 28->37         started        39 conhost.exe 30->39         started        signatures10 56 Obfuscated command line found 32->56 58 Uses ping.exe to sleep 32->58 41 PING.EXE 1 32->41         started        44 certutil.exe 1 32->44         started        46 Indugia.com 32->46         started        48 findstr.exe 1 32->48         started        process11 dnsIp12 52 127.0.0.1 unknown unknown 41->52 54 192.168.2.1 unknown unknown 41->54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 08:24:13 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
16bbaa4003bd7b0ee00634113bd4da02b153f09817263dda98bb06d012c18d74
22f8d1582e34c1754955d616542d3bf5e784d357ed58dd45e6bc3a5df9c82446
3b63323d965a34d9a828593150e9c765b085eb844c8c1596a86def9b623e099e
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
883bd670d55447865cc753c58efafc0c26c17c8d2b11b10f3bc9f70093abe507
9bae8f0da8acb0e760eb61482cafc928199f841e10e0426a6650d140be0154c3
c059548509d5ca453810776ad5bdea3440fb122b361211616d7300cc3b25fac0
e01d9c12ce59def16d3aa593e461d13173b98d4cef9658834f756ff4edbfd3d7
+ 54 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210317-32jmcqwymx/
Behaviour
Delays execution with timeout.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
f2d8eb0d41e0a714173abe6a609b30cb386bc134f8ebd968f1418448ebb4f0b1
MD5 hash:
4767904931c8469db182b651954b8e0e
SHA1 hash:
9eef66a1161e21e22ae2038c3241ba7a7ee10b88
Link:
https://www.unpac.me/results/7090014a-db1d-40ab-a1a8-6a5668df1902/
SH256 hash:
bb34e349820a3aaf91b035f050103bd4864b4650f2e788b2b1f08475b52becbf
MD5 hash:
91c3e67dedc26d6663ef3fa10341af11
SHA1 hash:
cb7806fc509627a4b1be9d17a6a85b8563448134
Link:
https://www.unpac.me/results/7090014a-db1d-40ab-a1a8-6a5668df1902/
SH256 hash:
826f0a4f0ff4ce8a9e5fe628fe533d3d686ae3ab8af978a0b3eda4509f50e1a0
MD5 hash:
b33205748deadfbcc2aac62a0ade8c94
SHA1 hash:
eede98bf89332f58fa102d74f074e9d79a0d4ef1
Link:
https://www.unpac.me/results/7090014a-db1d-40ab-a1a8-6a5668df1902/
SH256 hash:
3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c
MD5 hash:
2e9820ecd1baa3220c65cfede97c119d
SHA1 hash:
8e1e3fde6c4f79451ee0138a387dbf870ba53e49
Link:
https://www.unpac.me/results/7090014a-db1d-40ab-a1a8-6a5668df1902/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3eec2f0cec06aaf7f41a67bfff612f25c821ed90f47d49afd0b6a6d799ae516c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1072575/
  
Delivery method
Distributed via web download

Comments