MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872
SHA3-384 hash: c83499839e212ee08c3fcdfa4b59a009366e1c3c893e9268e97274bc71b9ad1f06abf8b109ee6572804c5ec8f22c1068
SHA1 hash: bfce4adde927b435216944e9248558dc4e86c09d
MD5 hash: 4cf8df527881a65164126227878a5935
humanhash: wisconsin-five-earth-magazine
File name:4cf8df527881a65164126227878a5935.exe
Download: download sample
File size:522'096 bytes
First seen:2020-11-19 06:05:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:Nhe5ivw7udEYbp1xnnv9MuhAEcl4T4RTHu+7A5i9UnwUBT08cdJ+IHO7hbJyayaj:7h8OwBkyl810rJ3Tq9icDCgc99VKl
Threatray 42 similar samples on MalwareBazaar
TLSH EFB422B4807F1022F7DB457536AEBEA401B1F5DBDBDA9A0803B8E5311BBDA523B0464D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/542723
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320460 Sample: laaHx15J0T.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 56 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->41 8 laaHx15J0T.exe 3 2->8         started        process3 file4 35 C:\Users\user\AppData\...\laaHx15J0T.exe.log, ASCII 8->35 dropped 11 laaHx15J0T.exe 1 1 8->11         started        process5 process6 13 powershell.exe 24 11->13         started        15 powershell.exe 5 11->15         started        17 powershell.exe 5 11->17         started        19 10 other processes 11->19 process7 21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 conhost.exe 19->31         started        33 7 other processes 19->33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872/
Threat name:
ByteCode-MSIL.Backdoor.Maslog
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 00:27:39 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0d6f912181bf01b2197d8501f5b38f6c009c6c4a4e76fa6e0b3d2d4efe05bfbb
2bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
6c48ef627ef59ceb65a7bc0dc24b8df5c9127a37b033c8aef5a1851b4f107a3b
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb
77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56
8f00b0da22ad089cc4f9e26d98d4f2000ea0cba3add268d471be4f027c1a965c
9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9
bee8a143562146fc38a4d02e59d2f2e280dc0a547cda9983dfde0aacdea4e99e
cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb
ef9d0a47d16301129755a6d9570f1f1bdc167bfee3d6649aad9835366920bf25
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201119-wh9dsbkgpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872
MD5 hash:
4cf8df527881a65164126227878a5935
SHA1 hash:
bfce4adde927b435216944e9248558dc4e86c09d
Link:
https://www.unpac.me/results/e4777e81-4425-45ee-8e5a-3c042545ee3f/
SH256 hash:
41b961235d258d8a1b8ddbacb865880f8e38a73d5120c66a12f53613ae3b9b33
MD5 hash:
8a245d8b2dfe81d86bfa84e95733f809
SHA1 hash:
335211ef89a387a9d4ba06b92a6307be75e6eecd
Link:
https://www.unpac.me/results/e4777e81-4425-45ee-8e5a-3c042545ee3f/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/e4777e81-4425-45ee-8e5a-3c042545ee3f/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/e4777e81-4425-45ee-8e5a-3c042545ee3f/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/447390/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/686521/
  
URLhaus
https://urlhaus.abuse.ch/url/439791/

Comments