MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49
SHA3-384 hash: 3a8bf4040be61280fc2ef37f273b9c4bd0e1d69cd830e240f7835a9d4d6fff21df29bbc225ac1ce2691694985635026d
SHA1 hash: d654b5bb277ec31d92552824dbeb0bb09f13a66e
MD5 hash: 98bd04ca5fb71ba249683cd17c47715d
humanhash: three-pizza-coffee-monkey
File name:IMG_601_223_458.exe
Download: download sample
File size:685'368 bytes
First seen:2021-05-05 08:53:20 UTC
Last seen:2021-05-05 10:05:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+1fxhwL8mLAHefRIZtbVqrTwqEZa1Gz6sUurc:6ZyJAH/ZtxqEZaLe
Threatray 11 similar samples on MalwareBazaar
TLSH 26E45D0417E45B97C2AE03B9E198E63173F5DE05A25AAB8B690BFAF53F7339144009D3
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150077/
Detection(s):
SecuriteInfo.com.Trojan.MalPack.MSIL.19944.29626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-05 01:20:10 UTC
AV detection:
14 of 47 (29.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h35y22uhhqkvh6k4nuqo62sisuyaiaeava37x56pseiikapi7jeq._file
Verdict:
unknown
Similar samples:
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1
312c1e6a195ca210070f9fdc8e2ed8a6363bd8386047ad48ff20e36d60dae6e4
31768ba567580677ef466b1451e012d1fd35341ca7ec9692c56ecfc09c4e13fc
344ce3854299c58105065ee7c9605cb77d04669f433a6080f640fbe304c8e1df
452f6c82573df4442dc2b111140c09c86fcdb5d776487dd6d2386645b319024f
5a38b12ebce12dde580da36ee1b4a5c0387f9e81f7f738c278b60d5781dad6eb
a517552827e4823129d29a86c716decae6366d7bad5d8521ba6d1fd52547147d
d8b500427918db815fb5b55eb807c8830192ea1ccd676d4a17155f4d10a1c36e
fdd6b649413776c157e7029b545d9e47a62b9decd6b2a11ca1708fd4363945a8
fe2853104646e2bd3446a2965268b953f728d3cdc941e8add4760975e2d12e86
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-4epzssxvh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
be56498a638f21cfaaadcd9dffc7922cde770a30e400830dedd716dd44673044
MD5 hash:
730ad13233b6e84d8eace511090a3bb6
SHA1 hash:
11eed4f2e4fdea6e304938bb5f43f7df915f5836
Link:
https://www.unpac.me/results/5b4844ab-c829-4256-acc9-b3b80d48d06b/
SH256 hash:
1a777affc596045a53631cc9b27c985385ea2641409184547491a05d75864d7f
MD5 hash:
726c7bdb068fa7b15f2569cdd7caccd0
SHA1 hash:
7a928cc5a4aa9c8ec46bdbed8385cef945a23e23
Link:
https://www.unpac.me/results/5b4844ab-c829-4256-acc9-b3b80d48d06b/
SH256 hash:
34bbea772d6bc2ffb6ff879346cf025379e6b65a7e76dcb94dbe61dc588ba9fa
MD5 hash:
a12bff5e88ef00d440dc169760b797d5
SHA1 hash:
fd4f32f1a3c5f9efc34ed101661f732cfac814b0
Link:
https://www.unpac.me/results/5b4844ab-c829-4256-acc9-b3b80d48d06b/
SH256 hash:
ae07e2b9b48a1975dc1b8bef84c423948211e8f7048a7f9628cfbd5ef6869182
MD5 hash:
2a87e50ef8701f1dd2c59e2680b1ee18
SHA1 hash:
c3acdb1a8940449dbb6ded1babba27140c13acb4
Link:
https://www.unpac.me/results/5b4844ab-c829-4256-acc9-b3b80d48d06b/
SH256 hash:
3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49
MD5 hash:
98bd04ca5fb71ba249683cd17c47715d
SHA1 hash:
d654b5bb277ec31d92552824dbeb0bb09f13a66e
Link:
https://www.unpac.me/results/5b4844ab-c829-4256-acc9-b3b80d48d06b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:INDICATOR_KB_CERT_04f131322cc31d92c849fca351d2f141
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3efb8d6a873c1553f95c6d20ef6a489530040080a837fbf7cf91108501e8fa49

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1195544/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/150077/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 09:00:27 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program