MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2
SHA3-384 hash: 61cae15c0bc29dbce464651194ac316db99945effa7b0ae75ac7beeb431e874183f4a39d0087aa7e01ea5dbe1b82d2cf
SHA1 hash: 5928f31633f3b4fc226297c5a2b1e920c1a231af
MD5 hash: 24cce691709f1ed05d5c1c765a258180
humanhash: september-lemon-bakerloo-gee
File name:24cce691709f1ed05d5c1c765a258180.exe
Download: download sample
File size:66'048 bytes
First seen:2022-03-03 09:01:14 UTC
Last seen:2022-03-17 16:58:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 768:WobtA02b1R3A1wsV0hkOLKYlEO8eBCjviqErlCdszYdl0jya8zcwR0C:WobtiZwwsV0iOLdlEbaqEYdszM0N/U
Threatray 210 similar samples on MalwareBazaar
TLSH T18853822BD7630C58C9303BFCDEA2DBA50A9C5F8D2C32C7D749A5FC5070EAA4578499A1
File icon (PE):PE icon
dhash icon 9c4261796179bdc2 (4 x RedLineStealer, 1 x Cobalt Strike)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246810/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9db56dd2-fb49-4818-809f-b9a7167c57dd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/949829
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582335 Sample: 7W9x5C6sru.exe Startdate: 03/03/2022 Architecture: WINDOWS Score: 68 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 .NET source code contains potential unpacker 2->41 43 Machine Learning detection for sample 2->43 7 7W9x5C6sru.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        12 cmd.exe 1 7->12         started        14 cmd.exe 1 7->14         started        16 cmd.exe 7->16         started        signatures5 45 Uses ping.exe to check the status of other devices and networks 9->45 18 PING.EXE 1 9->18         started        21 conhost.exe 9->21         started        23 PING.EXE 1 12->23         started        25 conhost.exe 12->25         started        27 PING.EXE 1 14->27         started        29 conhost.exe 14->29         started        process6 dnsIp7 31 yahoo.com 98.137.11.163 YAHOO-GQ1US United States 18->31 33 74.6.143.25 YAHOO-3US United States 23->33 35 192.168.2.1 unknown unknown 23->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2/
Threat name:
ByteCode-MSIL.Trojan.Tiggre
Create hunting rule
Status:
Malicious
First seen:
2022-02-17 03:50:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
27 of 43 (62.79%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
4f4d0fe769bd9d316323e290ab9116b5dd95eb7ff5842371f4ff54b2bcc1ae66
5a8455f269d1c9db4c93fc09554a32f25b865bd151cb587d88a37ec961d42df3
82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a
9bd40dc608fbfece64be8707069dc0284f2b358d2c3a164e326e6e602914d4dc
9c969019ad35d50bba579c1b682b28004e70393ff3d750636e6e6cf139f16406
a4717412162c3a9b74997841c66cb913771279323f6e5829b6e42b0970499e08
e803c5d292e1684844ff0ac82e76ca90caca1e44e7cd3507ce4ee4507b9d9fb2
+ 200 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220303-kzf48sbggn/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2
MD5 hash:
24cce691709f1ed05d5c1c765a258180
SHA1 hash:
5928f31633f3b4fc226297c5a2b1e920c1a231af
Link:
https://www.unpac.me/results/21d61159-35be-44c9-bbe5-a89543c6aa47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 41b39ef20c5490973503358df715382332ca0ef57016ee9a3d9d6d7639a6d4a2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2072356/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/246810/

Comments