MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb67a53b9aa137648e0af6235202f2a7ed2def37fa48fbda0ba6a9fb46f01c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ZeromaxStealer


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cb67a53b9aa137648e0af6235202f2a7ed2def37fa48fbda0ba6a9fb46f01c7
SHA3-384 hash: bf7208b760dba13fb2d34fa70f14c82e9377d24b56def1bc7a7db245f10133ef0da3d2f770c8509a49ede9981fdef1d5
SHA1 hash: f0419038748d32a04b1b0646a8111117a9cead57
MD5 hash: 1ccb5ffb97f056707160b980cc7efa9f
humanhash: orange-lake-item-west
File name:4.bin
Download: download sample
Signature ZeromaxStealer
Create hunting rule
File size:237'568 bytes
First seen:2020-07-02 18:01:11 UTC
Last seen:2020-07-23 13:14:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:Iw53vG8Qi4DOVm2Ebxxkw6RYDgWLMm4snkWrOISoxlU3pjgWq3Xm:Iw5+8QjaVm2EbxtLMJssWlU3p
Threatray 45 similar samples on MalwareBazaar
TLSH B134AE0437848237C6DA0B35D4B787119776F41067B2D35F3AAC61DE9E237A06E6732A
Reporter 3xp0rtblog
Tags:Zeromax ZeromaxStealer

Intelligence

File Origin
# of uploads :
3
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18533/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33906845.5654.6569.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4cb67a53b9aa137648e0af6235202f2a7ed2def37fa48fbda0ba6a9fb46f01c7/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-05-25 21:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=js3huu5zvijxmshav5rdkibpfj7nfxxtp6si7pnaxjvj7ndpahdq._file
Verdict:
malicious
Similar samples:
05a155b2e1218708d1803e647ce21abb556abb208d16c7861904f5ea938bde03
ZeromaxStealer
0b95b126cf983c7a26829e8355d66de10cc1e085a3a981703040269ce43f863a
ZeromaxStealer
12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
ZeromaxStealer
178cf2e50182606e000719ee8b7caa9c620950155542d10de6dd7eb5a2a34d01
ZeromaxStealer
24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e
ZeromaxStealer
256966058fb63c734b270b6842820287bb83a5895d0a14a5b66f52db037405fb
ZeromaxStealer
a3cd4c88cc48bcfd7ad16fd851948010f273215ce0c11b3538defba8f440bd0e
ZeromaxStealer
c829aa312e2ea1c043566e26517b2bf90e9c12ed68e9d7d24577ebc13f2cf3b1
ZeromaxStealer
de989a7339fadd1a4c95ce4ff18fca9959cee32161354062327b52a38541d02c
ZeromaxStealer
e363126219327414e0ab73a7b053e3c25bcfd656ff7b3b1f5db6e86076a93986
ZeromaxStealer
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/200702-4pcsdd1w1j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Program crash
Checks for installed software on the system
Checks for installed software on the system
Reads user/profile data of web browsers
Loads dropped DLL
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1278747903520116736?s=20
anyrun
any.run
https://app.any.run/tasks/6ec75246-6206-4a5c-9b0c-2bb3ea9a9f81/#
  
Delivery method
Multiple
Cape
Cape
https://www.capesandbox.com/analysis/18533/

Comments