MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e
SHA3-384 hash: 5d543d85c7259b7f599b7035683949661381a5f608888cd51c165211d797e0667d06de0f407b3a3b3001fc23609486dc
SHA1 hash: f0efe2a9c495ce23ce574a0c9dfa76e06e3d65f5
MD5 hash: e8b6c2c9dfbf5ccb632d59e2da690ac6
humanhash: kilo-mango-colorado-vermont
File name:e8b6c2c9dfbf5ccb632d59e2da690ac6
Download: download sample
File size:1'029'662 bytes
First seen:2021-09-02 00:41:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf6171d5e900bf93e668170d1a189f34 (4 x CryptBot, 1 x Amadey, 1 x RedLineStealer)
ssdeep 24576:v3gjaws1jIkjpXws+olzy6TZwLOLoqZw+Jsp3OuplEih5OaYk2:vgjshn9XPVz1MOLFJgplEihkaYk2
TLSH T1A925222172D9D87BE1D2173148E66BAB1876FB710F1483C7BB802E1B6C3A5D1D63816B
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e
Verdict:
Malicious activity
Analysis date:
2021-08-30 14:03:50 UTC
Tags:
trojan 1xxbot autoit
Link:
https://app.any.run/tasks/7c9733f8-752e-4466-b68e-ff15c3e465ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184612/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37517637.22057.19268.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
DNS request
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling autorun by creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66226c3d-edc5-4129-879b-009ad12224f4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/843718
Signature
Contains functionality to register a low level keyboard hook
Creates processes via WMI
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Submitted sample is a known malware sample
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476149 Sample: Pv4WC4mt7U Startdate: 02/09/2021 Architecture: WINDOWS Score: 76 55 Multi AV Scanner detection for submitted file 2->55 57 Sigma detected: Drops script at startup location 2->57 9 Pv4WC4mt7U.exe 7 2->9         started        12 wscript.exe 2->12         started        14 SprCNXIuIz.exe.com 2->14         started        process3 dnsIp4 61 Contains functionality to register a low level keyboard hook 9->61 17 cmd.exe 1 9->17         started        20 dllhost.exe 9->20         started        63 Creates processes via WMI 12->63 47 NNUcLOTLJm.NNUcLOTLJm 14->47 signatures5 process6 signatures7 49 Submitted sample is a known malware sample 17->49 51 Obfuscated command line found 17->51 53 Uses ping.exe to check the status of other devices and networks 17->53 22 cmd.exe 3 17->22         started        25 conhost.exe 17->25         started        process8 signatures9 59 Obfuscated command line found 22->59 27 Ape.exe.com 22->27         started        30 findstr.exe 1 22->30         started        33 PING.EXE 1 22->33         started        process10 file11 65 Drops PE files with a suspicious file extension 27->65 35 Ape.exe.com 6 27->35         started        43 C:\Users\user\AppData\Local\...\Ape.exe.com, Targa 30->43 dropped signatures12 process13 dnsIp14 45 NNUcLOTLJm.NNUcLOTLJm 35->45 39 C:\Users\user\AppData\...\SprCNXIuIz.exe.com, PE32 35->39 dropped 41 C:\Users\user\AppData\...\SprCNXIuIz.url, MS 35->41 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-30 01:09:00 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210902-fq2v4ahkme/
Behaviour
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Unpacked files
SH256 hash:
4821b0097ce5a4a423f8cd7276af3917f769764bb6b71a62de1affbf32383bf4
MD5 hash:
972111920d7ecd4c85cddc0c8517806f
SHA1 hash:
8fe44d2705c2ac1d2bf28bbade5b205dc1912286
Link:
https://www.unpac.me/results/80a150b8-2983-44c9-b8c7-48b91f04688a/
SH256 hash:
45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e
MD5 hash:
e8b6c2c9dfbf5ccb632d59e2da690ac6
SHA1 hash:
f0efe2a9c495ce23ce574a0c9dfa76e06e3d65f5
Link:
https://www.unpac.me/results/80a150b8-2983-44c9-b8c7-48b91f04688a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 45942f1e34b3d4c2b866451282878b85c26e6582f81b37b5e01437d2f8e8c32e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1584676/
Cape
Cape
https://www.capesandbox.com/analysis/184612/

Comments


Avatar
zbet commented on 2021-09-02 00:41:20 UTC

url : hxxps://km.popmonster.ru/368530214.exe