MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d
SHA3-384 hash: 7f8615fcc28bbbf9d3c11a50e311d348719ac3a6e722d27ffae0c584683d5f1fe9d0c850467a6b188b8433eb2b931c9b
SHA1 hash: 70d098c0f7b7a6e21d6584e28c6948da65e34b0e
MD5 hash: 33a86125d4bdf907ee70c75be2b99f9d
humanhash: stream-beryllium-undress-arkansas
File name:S01_1091716697001_31-03-20211.scr
Download: download sample
File size:986'112 bytes
First seen:2021-05-05 05:48:31 UTC
Last seen:2021-05-05 07:12:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:C1fxhwL8mLAHefRIZtbVqrTwqEZz85p3qINnjrrDgg/H35EvZaGOujF9:OZyJAH/ZtxqEZzSRbfcHO
Threatray 67 similar samples on MalwareBazaar
TLSH F0256A01B7944696ED8E2775E0BB193153A2AD95A97AE70E194BFBB13FB33C140039C3
Reporter abuse_ch
Tags:scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/149907/
Detection(s):
SecuriteInfo.com.generic.ml.10840.10040.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/711451
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404652 Sample: S01_1091716697001_31-03-20211.scr Startdate: 05/05/2021 Architecture: WINDOWS Score: 92 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 .NET source code contains potential unpacker 2->36 38 3 other signatures 2->38 6 S01_1091716697001_31-03-20211.exe 16 6 2->6         started        10 coresystem.exe 2 2->10         started        12 coresystem.exe 1 2->12         started        process3 file4 22 C:\Users\user\AppData\...\screenplay.exe, PE32 6->22 dropped 24 C:\Users\user\AppData\Local\Temp\RegAsm.exe, PE32 6->24 dropped 26 C:\Users\...\screenplay.exe:Zone.Identifier, ASCII 6->26 dropped 28 C:\...\S01_1091716697001_31-03-20211.exe.log, ASCII 6->28 dropped 40 Creates an undocumented autostart registry key 6->40 14 RegAsm.exe 2 4 6->14         started        18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        signatures5 process6 file7 30 C:\Users\user\AppData\...\coresystem.exe, PE32 14->30 dropped 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->44 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->46 48 Installs a global keyboard hook 14->48 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 01:54:00 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmvtrlbbmm7f34kuvvglg2hxpw4iujc63sbfzlbxigjrecwyifwq._file
Verdict:
suspicious
Similar samples:
060685f00b5569a8d8e1d58a2e50dd7359833e8b6c12ffabb0ce02bb42c5db53
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
206ffd0bd61efa5d7555466690e7e20ee7bcf6f8e45323bb1bb01b85073bc77b
2634fb80e3aae92bb4b0fa252d7be8242629a9dbcd14301b0002e8d1bfc8b420
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
6be8541f9acb169414f3b10de5619404ebdf7845c21fc4451ba2dd18d1602dc1
80e9c429bf5d6b1116009980d85bd36ad7b3c05a5ad0f69a836bbcd7d0df7090
8f8324aa2244c6ecc4369ef6e5ea25b405ecf48aef96e34cc04c56f6ad240ade
b65eed317058df5ddd4247ec93ac2b555ae2c29b751ee455ceee3dd9b670ecad
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210505-y5frzl18rx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
34bbea772d6bc2ffb6ff879346cf025379e6b65a7e76dcb94dbe61dc588ba9fa
MD5 hash:
a12bff5e88ef00d440dc169760b797d5
SHA1 hash:
fd4f32f1a3c5f9efc34ed101661f732cfac814b0
Link:
https://www.unpac.me/results/69c01325-a4dd-4ec0-b174-d5bda0b98031/
SH256 hash:
e5a7bc159365644404458ac406b51fea83597e5ba404a541a8bf44b98116dd8f
MD5 hash:
c2ae115189b0ce3818c2497f8702d7c9
SHA1 hash:
53b29aa51b174d264bf6ed869bf470791a1a36cf
Link:
https://www.unpac.me/results/69c01325-a4dd-4ec0-b174-d5bda0b98031/
SH256 hash:
19fca10e7d37faef367815aeee9fd7267d6da9cdde47f8afc8f67ed9537d8cbe
MD5 hash:
4044fe638aead657f0801c5cf1162e90
SHA1 hash:
49efc040854e282c40831ef0e028de3653d634c8
Link:
https://www.unpac.me/results/69c01325-a4dd-4ec0-b174-d5bda0b98031/
SH256 hash:
4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d
MD5 hash:
33a86125d4bdf907ee70c75be2b99f9d
SHA1 hash:
70d098c0f7b7a6e21d6584e28c6948da65e34b0e
Link:
https://www.unpac.me/results/69c01325-a4dd-4ec0-b174-d5bda0b98031/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.56
Link:
https://yomi.yoroi.company/submissions/4b2b38ac21633e5df154ad4cb368f77db88a245edc825cac374193120ad8416d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149907/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 05:59:53 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program