MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45
SHA3-384 hash: e36bfc1ede71d2c9cdc21fee818aa14fb8a76fcd8ad5683735d91eed19bd3bfbc63616361f6e118cc6895b36a8f32c7d
SHA1 hash: 276e322d162453c67a9f58747b6635746026de65
MD5 hash: 0437a4a387f2f71a2d7d3e791f73eb3a
humanhash: three-edward-white-may
File name:0437a4a387f2f71a2d7d3e791f73eb3a
Download: download sample
File size:770'560 bytes
First seen:2022-01-05 11:18:26 UTC
Last seen:2022-01-05 13:18:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+94OFI/26V3vgwqEZf/XXGU0/EKkrF4SrbwecO4u+g/o1KYJ2YzAGy6KPNgTA9k9:+y2c2s39qOv2UHbPwecHg/o1KYJ2YzAZ
Threatray 673 similar samples on MalwareBazaar
TLSH T194F4E1C97B89D8B0EB8C0AB7D9B856D037F6D8305A57C116F9C60DB90E1B1F9AD443A0
File icon (PE):PE icon
dhash icon ec65d9c58e865326
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0437a4a387f2f71a2d7d3e791f73eb3a
Verdict:
Suspicious activity
Analysis date:
2022-01-05 11:19:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed88cbde-e184-46df-b66f-a79a02ffcd79

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
zgRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/217427/
Detection(s):
SecuriteInfo.com.Typical_Malware_String_Transforms.32474.16589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61d57ea892bdc4b407803c19/reports/7232fc7f-494f-4db0-bb45-51bc738136c0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e6a60fa7-0d69-4c57-a2fd-28715a49657b
Result
Threat name:
IPack Miner
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/915776
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected IPack Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 548254 Sample: avp0YI62uf Startdate: 05/01/2022 Architecture: WINDOWS Score: 100 37 Antivirus detection for dropped file 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for dropped file 2->41 43 8 other signatures 2->43 7 avp0YI62uf.exe 15 10 2->7         started        process3 dnsIp4 35 discordapp.com 162.159.129.233, 443, 49823 CLOUDFLARENETUS United States 7->35 27 C:\Users\user\AppData\Roaming\...\Discord.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\...\avp0YI62uf.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 7->31 dropped 33 3 other malicious files 7->33 dropped 45 Detected unpacking (overwrites its own PE header) 7->45 47 Creates an undocumented autostart registry key 7->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->49 51 6 other signatures 7->51 12 avp0YI62uf.exe 7->12         started        15 powershell.exe 18 7->15         started        17 AdvancedRun.exe 1 7->17         started        19 2 other processes 7->19 file5 signatures6 process7 signatures8 53 Antivirus detection for dropped file 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 59 2 other signatures 12->59 21 conhost.exe 15->21         started        23 AdvancedRun.exe 17->23         started        25 AdvancedRun.exe 19->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-01-05 10:26:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 27 (74.07%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
02a6c3107c222062f0102daa96954f22d2af742dfecf45477478a243799301a0
1b505dd97979f77eb945dced33b51d4ce2f026c12e6a80ca4ddae93f5756b369
695722bddb32724a102d8d12aca0ebc841c4944f52632c3ea595941a6e988759
6ff685e5acfd946101b558f9f9d47a0d515c62e7476f5f83694609d64343315e
800b4455105a08833332092017909f9dd47bd4ebfb1cbddbe0b95658d03b8d64
84a5f6bd4a13a1926ab7e242b88c8956857be6bc2a4c2d4faa27949c3b3483db
b1fde48aa3298e07bede742647168ab9d13d509d04cb0aad30d0c80a3d893530
b2ce2ad6d522621b917ce77b362541bcfa0976bdcbbc36f1a57ec1c5d6199112
ef1e1769665ea5ec9a7bf2b55ff43d2d1d741512eb6d3d3ab4b8347a1aa20042
+ 663 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220105-nevcxaaefn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Nirsoft
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
16a82e15dc9054f9383cefb079035052419fd3b197154678b2a97362d071d842
MD5 hash:
2a52a97015e2b62634491cb25198e61a
SHA1 hash:
c8a9fbd4470e0f5f65ebe88832034139642d957e
Link:
https://www.unpac.me/results/ee13902a-70ba-41bd-a0f5-869a29bcdffd/
SH256 hash:
3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45
MD5 hash:
0437a4a387f2f71a2d7d3e791f73eb3a
SHA1 hash:
276e322d162453c67a9f58747b6635746026de65
Link:
https://www.unpac.me/results/ee13902a-70ba-41bd-a0f5-869a29bcdffd/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3fc8d5c41f95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3fc8d5c41f950cbf8a4becb6390221bbbb8c28a52fbc68b55296ccf6aaec7a45

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1950817/
Cape
Cape
https://www.capesandbox.com/analysis/217427/

Comments


Avatar
zbet commented on 2022-01-05 11:18:27 UTC

url : hxxp://2.56.56.4/loadermode.exe