MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd
SHA3-384 hash: 035ad67a18bc7d491d84befae424c01bdebb72d70a0032a2b04527167a6b3bc34884b639a455a58ede5d58f238f667c4
SHA1 hash: a3f0af6576ceaf3b0527f48b34b96982306aea8a
MD5 hash: 0823d6e2ee0cf2646ede2ea05b2ada78
humanhash: chicken-tennessee-minnesota-jig
File name:SecuriteInfo.com.Win64.PWSX-gen.20407.30732
Download: download sample
File size:451'584 bytes
First seen:2022-12-12 04:27:23 UTC
Last seen:2023-01-06 10:32:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:7MmaasnpHavUw74P8E3f28jlhsyrUxr0ZANIiXNDjRj5kc5:7rMpHavR7eT3+8jTsyoxEAOyReW
Threatray 776 similar samples on MalwareBazaar
TLSH T12DA40227A48E18A5EF97F93D53FD7B392792AA708810CB105662E6FEF16070D50846CF
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
formbook
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Win64.PWSX-gen.20407.30732
Verdict:
Malicious activity
Analysis date:
2022-12-12 10:24:34 UTC
Tags:
trojan formbook stealer
Link:
https://app.any.run/tasks/ba192197-0cb5-4a7f-bc9a-e1826e603dc4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345319/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.20407.30732.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6396add49a505ad9423f1c1c/reports/e8314d63-0dac-487e-8ee1-3c3079433713/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bb20aa28-e11c-45ae-8849-2d150c0ad59e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1132396
Signature
.NET source code contains very large array initializations
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 765120 Sample: SecuriteInfo.com.Win64.PWSX... Startdate: 12/12/2022 Architecture: WINDOWS Score: 100 31 www.gomaaelsayed.com 2->31 33 gomaaelsayed.com 2->33 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 2 other signatures 2->45 9 SecuriteInfo.com.Win64.PWSX-gen.20407.30732.exe 1 2->9         started        signatures3 process4 file5 23 SecuriteInfo.com.W...20407.30732.exe.log, CSV 9->23 dropped 55 Writes to foreign memory regions 9->55 57 Injects a PE file into a foreign processes 9->57 13 CasPol.exe 9->13         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 13->59 61 Maps a DLL or memory area into another process 13->61 63 Sample uses process hollowing technique 13->63 65 Queues an APC in another process (thread injection) 13->65 16 explorer.exe 13->16 injected process9 dnsIp10 25 187noahsmill.com 162.241.253.39, 49697, 80 UNIFIEDLAYER-AS-1US United States 16->25 27 088-356.com 185.224.170.82, 49698, 49699, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL Netherlands 16->27 29 12 other IPs or domains 16->29 35 System process connects to network (likely due to code injection or exploit) 16->35 37 Performs DNS queries to domains with low reputation 16->37 20 cmd.exe 13 16->20         started        signatures11 process12 signatures13 47 Tries to steal Mail credentials (via file / registry access) 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 51 Modifies the context of a thread in another process (thread injection) 20->51 53 Maps a DLL or memory area into another process 20->53
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd/
Threat name:
Win64.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 04:28:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
12 of 26 (46.15%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jei6oztxb6hqrf36lbkp5b567fwst2alrrna55ed2nrnddezihoq._file
Verdict:
malicious
Similar samples:
002e81aaa44917c3f31513578174f22fa9eab43e0a64714901a8e1efe8887cec
03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f
26e9c2f05c547a575d40b66a4feb317af53b65062611eea7ed6005e0ed88d1e9
292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117
2b0a569433b5a2f7bdccfb8f296cda74e1e4ed74b0fa9f4e7146e34c22a6a940
7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532
a6f687d95308fd4d110ee7f8b07d3992e35802042f2d68c6216a5606b9ef8ab8
a8db61754cfe3eb3cde12a63eadb0631b3437bbbe05bb9c1bbf7d3f4af31a56d
c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44
d325d9ecd5d7b1e7871de63f0807aa53457f82985845a9a6a4e45c0102a9fa69
+ 766 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221212-e3netsda2v/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0d7bdce4-9458-429e-96c6-b1e94db88f55
Unpacked files
SH256 hash:
4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd
MD5 hash:
0823d6e2ee0cf2646ede2ea05b2ada78
SHA1 hash:
a3f0af6576ceaf3b0527f48b34b96982306aea8a
Link:
https://www.unpac.me/results/b5808261-e54d-4b15-8f7e-9c3b0ee68520/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4911e766770f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/345319/

Comments