MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea
SHA3-384 hash: 68316e49f62ee76686a4fa0fe9c5f3605b3e3db70e231565cd4d61fb06e759343e7d9b0cea5d2ca28b4e7e7fd4db3a95
SHA1 hash: 8bf1a61f3a50551f3fdf8e3f569787a619afafde
MD5 hash: b63791ced17b581d52f1191a7a9d5014
humanhash: fruit-pasta-pennsylvania-wyoming
File name:Mwtoinqw.exe
Download: download sample
File size:2'118'656 bytes
First seen:2022-10-20 19:57:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:ky5XlEdyMAILhGou7K+3Fava5sTbSx7SnWZQzjFeM6DJOjB9sTTHyN2EZeGDTsaB:9wvv3SxunYQb6VOrEt2UOSM9m5tO
Threatray 3'104 similar samples on MalwareBazaar
TLSH T17CA5D7A194B78082F9CF49902568B9D306B17C63ADC5043B531A7F41CF7BB98BDC86E9
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon e194aab2b2aad421 (10 x AgentTesla, 4 x AveMariaRAT, 3 x Formbook)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Mwtoinqw.exe
Verdict:
No threats detected
Analysis date:
2022-10-20 19:58:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/61eabda1-6273-45cc-a95d-95f3d9ddad49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/322129/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Reading critical registry keys
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6351a84ab5f60e72b8c7abf2/reports/a37d444a-e9ab-44ae-87e5-bb3613f0a8f8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f93b3b85-7259-4e2a-9e9f-edce5f90de6f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1094461
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-10-20 09:00:55 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
18
AV detection:
20 of 26 (76.92%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipr3kta5qkhbtwes55ytla4rlyxhfbml4ex6fugmkmyoznu3p3va._file
Verdict:
malicious
Similar samples:
36f236ece6077f65bf5513daa3fc779863f6027b62950137f606ef448fc7727a
65974a49b0f427641f96866baacf2ab54717f613adc747812061bb05e4dde779
6d62cebf308b5ab873d98e0447c68f936bc34addeb924eb8ef972072ca13d4bf
768e07081c36c61c7ca4cc6c996c99e128adb6d137ad5c4f15f14edd17e492ca
8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c
9c348075ed5b4586cb68c9d794189661b4bcb53c86eff81afd634e29ef9e8369
b78d348dc8a28e80d79acd9118ea488c502a18c30b211a03edd4cfd59715090f
cbab4cfcbca79f53ed3faf1ea4fc48270b44c50529a96698c3b5ab250e438454
f333b87b79d0fbf142976bb401a082f189b00c49e65a3ad7b1ed5b8f33320ba0
+ 3'094 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/221020-yps8pscchn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b5ef987-3e6e-4b21-9818-2bc7358c9156
Unpacked files
SH256 hash:
43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea
MD5 hash:
b63791ced17b581d52f1191a7a9d5014
SHA1 hash:
8bf1a61f3a50551f3fdf8e3f569787a619afafde
Link:
https://www.unpac.me/results/e0864b2b-fbc3-4413-bb2c-efe2b70bf9cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 43e3b54c1d828e19d892ef713583915e2e72858be12fe2d0cc5330ecb69b7eea

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/322129/

Comments