MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d
SHA3-384 hash: 34ebd682c32da08a6db67058f46e29ddf0e3eb436f2c7dd038e7ad5c535235c51d4c70b82801bd1b6970c4235c5f0720
SHA1 hash: 84734247347df5871560763f8708cb9b81cd69dd
MD5 hash: c32b8fdf7c7f51ce14ae1859c7417489
humanhash: zebra-summer-louisiana-dakota
File name:Detalles del pago.pdf.exe
Download: download sample
File size:1'732'608 bytes
First seen:2021-12-02 20:27:42 UTC
Last seen:2021-12-03 13:58:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:lBSOt+6w/DSePq91885bNOaJvuzi4tgmMYtQW:jmI0yJ4aOtbM+Q
Threatray 101 similar samples on MalwareBazaar
TLSH T11C852397354491F2E0786933BE83A14C62663CF4AD61D11AAAC3F75F69B23F21E1407B
Reporter pr0xylife
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Detalles del pago.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-02 20:32:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9c76ce0a-1fe6-4959-86e3-c4c37f05970e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210868/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a92c5586bf67e7122091c6/reports/35dbd42f-ca8c-46c0-9ae4-12da883078fd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e30b4710-fc8f-4c33-9293-6dd85f7ceedd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900475
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Self deletion via cmd delete
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532953 Sample: Detalles del pago.pdf.exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 63 Antivirus detection for dropped file 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 Yara detected AntiVM3 2->67 69 7 other signatures 2->69 13 Detalles del pago.pdf.exe 3 2->13         started        process3 signatures4 87 Self deletion via cmd delete 13->87 16 Detalles del pago.pdf.exe 2 13->16         started        process5 signatures6 51 Self deletion via cmd delete 16->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->53 55 Injects a PE file into a foreign processes 16->55 19 Detalles del pago.pdf.exe 2 16->19         started        process7 signatures8 71 Self deletion via cmd delete 19->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->73 75 Injects a PE file into a foreign processes 19->75 22 Detalles del pago.pdf.exe 2 19->22         started        process9 signatures10 77 Self deletion via cmd delete 22->77 79 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->79 81 Injects a PE file into a foreign processes 22->81 25 Detalles del pago.pdf.exe 5 22->25         started        process11 file12 41 C:\Users\user\AppData\Roaming\...\secdrv.exe, PE32 25->41 dropped 43 C:\Users\user\AppData\...\LookupSvi.exe, PE32 25->43 dropped 83 Self deletion via cmd delete 25->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->85 29 Detalles del pago.pdf.exe 3 25->29         started        signatures13 process14 file15 45 C:\Users\user\AppData\Roaming\...\ProfSvc.exe, PE32 29->45 dropped 47 C:\Users\user\AppData\...\AeLookupSvi.exe, PE32 29->47 dropped 89 Self deletion via cmd delete 29->89 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->91 93 Injects a PE file into a foreign processes 29->93 33 Detalles del pago.pdf.exe 29->33         started        signatures16 process17 signatures18 57 Self deletion via cmd delete 33->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->59 61 Injects a PE file into a foreign processes 33->61 36 Detalles del pago.pdf.exe 33->36         started        process19 process20 38 WerFault.exe 36->38         started        dnsIp21 49 192.168.2.1 unknown unknown 38->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 20:28:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilcsjaxchi5d2754wui4cumgu7fzrrsclqw6kpq6wugvriy2avwq._file
Verdict:
malicious
Similar samples:
13b46d9524b436eb825c317fde69b0710f295ab95ead1e9d5c4babe39d9287f8
21c9724029e1b659d1b038844e6c76054d65bbd93fbd416bfe31a5449e835845
36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2
673a4571b3bec07ef953c5aaf3b940b4ca622c8919608c8235f9347e6dd512e5
6d239a892a804362a597c30869e82a11f79c66f4fcfd368673027f84aeae3a95
9131f78f68a82c062393fb196cbedf6965f3179f8cead139c27c4325a4418ad2
9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989
b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3
dbccb179b38bd0493f594f5a4bda348c397a70421d2d164144a6911863a478a1
e13cb852ef9d4d654e8614824087ac7298adcb602d6fbc4937ef2ef51642bfb2
+ 91 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211202-y8z6csbfhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
f58fdbec9814760ea6a8ab0936446bbfad9dfea5bdc39cab1723ba167c5036d4
MD5 hash:
977926d749d1ac4fe2bdf3f9664c3e81
SHA1 hash:
9572b56fc141d4956c374407960b37e0d9880772
Link:
https://www.unpac.me/results/9439f732-d6fd-447b-96b7-a99f8e25f0c2/
SH256 hash:
1eba3e6e55f4aa87ee88dad11183f808f00870bf6277e3ae19fb31400a1dbe5b
MD5 hash:
00b620728472aef2af115e0455930cf8
SHA1 hash:
649a4ad0f13a3176ea36b855c1b36fbce246446a
Link:
https://www.unpac.me/results/9439f732-d6fd-447b-96b7-a99f8e25f0c2/
SH256 hash:
42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d
MD5 hash:
c32b8fdf7c7f51ce14ae1859c7417489
SHA1 hash:
84734247347df5871560763f8708cb9b81cd69dd
Link:
https://www.unpac.me/results/9439f732-d6fd-447b-96b7-a99f8e25f0c2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/42c52482e23a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/210868/

Comments