MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f
SHA3-384 hash: 7aef7faeb5c4386f1bc3f8268dc1428041dff0ccabd885e7aaa65a62c551b9373fd7f6f03d1fe4a93ee1570b9965b0fc
SHA1 hash: 02fd987e5e935fa77f3ae8453b70cf096067856d
MD5 hash: a416d9eed457a026eb5a34fc7fd5f52f
humanhash: berlin-minnesota-vermont-mexico
File name:PO#00460_Agro_ltd.com
Download: download sample
File size:615'936 bytes
First seen:2020-08-05 11:55:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:6yUCcPLgRrFEi5vCuDbHP/FdZxqqdKlT5iqFMBCcWYIjLQ:6nCcPUOi3DrP/FLxqqgd1FMfuL
Threatray 2'452 similar samples on MalwareBazaar
TLSH B2D474D42A5C4E09F0FB35F74B3A48F249D19C0EB51C418A2E7EF126843AD585FAE9D2
Reporter abuse_ch
Tags:com HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway30.websitewelcome.com
Sending IP: 50.116.127.1
From: Olivia Young <haibo2@vhaibo.com>
Subject: Re: HSC PO# 009460/OUDR51..September
Attachment: PO00460_Agro_ltd.rar (contains "PO#00460_Agro_ltd.com")

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39520/
Detection(s):
Win.Packed.Nanocore-9229594-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Sending an HTTP GET request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
DNS request
Launching a process
Deleting a recently created file
Connection attempt to an infection source
Unauthorized injection to a system process
Deleting of the original file
Enabling autorun by creating a file
Sending an HTTP POST request to an infection source
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/411093
Signature
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 11:57:09 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iawjxqmhuuhq6gaohw7puavpjhmixhis6ct6nailzehq7rpz5gpq._file
Verdict:
malicious
Similar samples:
082433d5a03c1b8d3afcddfd4dade5d0d14366ad0d1e8d04c2f70fb40558b9cf
28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199
4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889
6ed38f127b3a25cff62c0855aeba85a7134a400b1dd4ef06412c2a96729b9991
76021aea3ce29a8755d97b4c13d16a7bcb9eb0bd6e1a2d1df62ffeb8fb9397cd
92be89b620f61dba7a3c69c6e597787a02b9b8f7e0de333c589ce5048cbd8e6e
a7ed52eaed3c431823109509515c36b6bf45aab634606980509950674f018f88
b8860da111fd60fd6bcb2d6ffd3f1a62357d1da8888b766726bcf0919ba25e3e
febbc268d54ae4612531ceb696c39bd8c0a60ea22d2877751eecce32bd651257
ffd4e843982551c8900daf559ee27a07c7fdeeb6a63e5075fbb8e98c8280f605
+ 2'442 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-c9lq58l5bj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 0b6581af13593fec6c4bb47fda35f4ccafa4a058cf3587919c965b21600a6c03

Executable exe 402c9bc187a50f0f180e3dbefa02af49d88b9d12f0a7e6810bc90f0fc5f9e99f

(this sample)

  
Dropped by
MD5 235e874e48b07dbc02513710345e3945
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39520/
  
Dropped by
SHA256 0b6581af13593fec6c4bb47fda35f4ccafa4a058cf3587919c965b21600a6c03

Comments