MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5
SHA3-384 hash: b6c913681848b95b1aa7442c6a1fcaa8d07e5e050ba8e6a2ebb70bed5d12869e78f9f328dd4fc157392d25686cd9b693
SHA1 hash: f2f6646aa2a70ae1520728c376d6048e5a8bf7ef
MD5 hash: 51a6e667c3c59d0e4a2fb644a284ead4
humanhash: indigo-twelve-nevada-fix
File name:51a6e667c3c59d0e4a2fb644a284ead4.exe
Download: download sample
File size:302'080 bytes
First seen:2022-04-12 12:45:55 UTC
Last seen:2022-04-12 14:00:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:X3W333a333F333O333j333M333D333q333T333R333e333W333Z333D333y333Sa:X3W333a333F333O333j333M333D333q/
Threatray 1'326 similar samples on MalwareBazaar
TLSH T17154538D3F3C640AC5F5A8BA1F5737A6EBBE4F1160A34E0099BDBF0DC1931E029A5951
File icon (PE):PE icon
dhash icon e09233614d71a2c0 (1 x AZORult)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://62.204.41.69/pm.exe
Verdict:
Malicious activity
Analysis date:
2022-04-13 00:20:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f47a78bb-9b84-4274-9ee4-0e464481967d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263091/
Detection(s):
SecuriteInfo.com.Variant.Ursu.118312.25904.12717.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/62557498482f2f41ca9fd30b/reports/cc0b7739-a93f-4741-80f7-4fb5b2e5e76e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/502f1465-f5b9-4240-a4b1-c96822ecc996
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/975440
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Detected unpacking (overwrites its own PE header)
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Encoded PowerShell Command Line
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5/
Threat name:
Win32.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2022-04-12 12:46:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
10 of 40 (25.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0e22f42c7121ad7bd94850929efe4e42fe7cc13808f5404a3a864b56bcfcb49f
163f0f159705867530e310ee48ffb66a057fba8a236ca2473c3de1d2f9ea48c9
1c680ca848d97f43e8a73d323f694b0a6701f14af19ef0da1e99e7eac9af8a65
6b10f57d5211fa504775f4db4021b74bfee20d6fc6f908fb062044db926c0656
785771e54cd9bb3c949f9967c391d5bef6c09c3a25edabc396c188741ddd570c
8f9ff0227f4ce6ed3259d5f2f8bfd8c54496e9896ad5f522cdd768911be4b4bc
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
c9aa37b14d02530c430923c6f758158f1116109efad42f3cbd2eb965aa1c3b1f
d24cfa0bdad2e8531085b2cf684b9ea333fd5d85daa7c7a51750e943f6ae7e0b
+ 1'316 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220412-pzl3psefb6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5
MD5 hash:
51a6e667c3c59d0e4a2fb644a284ead4
SHA1 hash:
f2f6646aa2a70ae1520728c376d6048e5a8bf7ef
Link:
https://www.unpac.me/results/07825b7e-c086-43a1-9318-c11113ded57e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/40e3f0d6fc66/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 40e3f0d6fc66f3881a716191aa965e1b4bceceb357d98f63254e4cb6db00c7c5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2115184/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263091/

Comments