MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838
SHA3-384 hash: 797a4ef8c2e83ac9a06a596211a4d50e0fe7add04952da3f478cb67e6b9b4940b454ce95b09d2b11294c61bcd3b1a6d0
SHA1 hash: af002d6fb72ba23dd65b9ba0a9ec3b6afc67fa4c
MD5 hash: dd37c06a353b9873cffefb86079d7ab0
humanhash: eleven-alaska-double-fix
File name:dd37c06a353b9873cffefb86079d7ab0
Download: download sample
File size:14'538'240 bytes
First seen:2022-02-05 04:15:07 UTC
Last seen:2022-02-05 05:38:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 393216:/ngBZW4F4ta4CMY+qa+4BEOQCoW1fj6aK4:fgXW4F4E4CMc4Bs4
Threatray 6 similar samples on MalwareBazaar
TLSH T177E65B027AE0DD29D0756732C7624CB073AA7C59FE53C3DB18ACBB9A3571B426D0472A
File icon (PE):PE icon
dhash icon 71d8b8e4d8e2e471
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd37c06a353b9873cffefb86079d7ab0
Verdict:
No threats detected
Analysis date:
2022-02-05 04:22:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8eb474cf-0632-49b1-b667-54998490c11d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoader23.22913.25811.24736.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Searching for the window
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25bd5248-e5fa-4f59-ab8d-6896276b2849
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/934445
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.IRPlan
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 23:12:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
459
AV detection:
17 of 27 (62.96%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
998d5c7ff8df0cf90cdf5e48ebec08896f9549687366ffba9e4a9a55735f730f
9ee97b3eb9502065bfeb35df4525e4138027fc6f08a39efd7de5155e7e472f4d
bd330e0b19219332489e32cb870185225d030a118e23606eff6514fdc7ee1463
bf54ee0783e7263ae46a65fb773805b71a1c54ac956e066d23c980c978d145d9
dca50ad6e3a5e495a478ef86cdc92758572c43734f650394c5e304e9dac7a192
e6f2b1f02704ecee254593207a8e579912bc1b1785853905e39fa68f6e34234f
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220205-evta4sgdgl/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Checks computer location settings
Sets service image path in registry
Unpacked files
SH256 hash:
6c03ca2e17811bb70881003235b521ec09d3aaae2d58c990807a5bf638b02390
MD5 hash:
0084d227b0d1f23bbad36935df6a4069
SHA1 hash:
e599047e3769de1e4b09ffebfa8e9d742286443b
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
fa63b7406e89fe0d4e803deff8b30ce285656b8f8d31ffe111b3a441f0510c7e
MD5 hash:
804b90e715fe42e951da3584e6959b25
SHA1 hash:
a6d821c9028d7d7c4a8659b9764693b17fcd3dab
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
6f335b6881409a043c9654baebc829d5089e171b6a0e18744ccc7e95aef599f8
MD5 hash:
6c987a205ef4410634a19519bb620a91
SHA1 hash:
97ac7fb6edff29bde419b92f68717c98fa2b5f88
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
5d009ea745d4f3eb50c233e702780804da9d44feac5cf6dae56da24979d99d09
MD5 hash:
8d53483312b5baf872c33c476354a804
SHA1 hash:
85e3a108c80e67e1e47f8923c82636df5e009e4b
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
2abf42160302b0f44ea7dcc2e1c1ef910106df8835b0d94f9ced9428655b89e1
MD5 hash:
351ee62de72b9530deee03c9c68d2a29
SHA1 hash:
59f350893a56df61495392474199fd50c7c58901
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
468741ac0066b2d5dc49862f532140513187ca7296792d48daa4cd343d1da52f
MD5 hash:
996391120344c06e1974a53660d691a2
SHA1 hash:
50e7d45bac709a00591f1c2a25f837d3bf19d3ba
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1
MD5 hash:
8f6875148b45c300b95514cb40703c2e
SHA1 hash:
0015b8e21d84e0f6f174cf71b63651bad94582df
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
SH256 hash:
46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838
MD5 hash:
dd37c06a353b9873cffefb86079d7ab0
SHA1 hash:
af002d6fb72ba23dd65b9ba0a9ec3b6afc67fa4c
Link:
https://www.unpac.me/results/828344bf-2351-45ed-a07b-84946ec03b39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2029929/

Comments


Avatar
zbet commented on 2022-02-05 04:15:13 UTC

url : hxxp://137.184.87.137:8000/DE.txt