MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c
SHA3-384 hash: 287a9a698bf711672057a972cf1bf3a85a2bcad5df08080dcf28e815dd2f3bb49c1e08f5c887025eb64d3284143b88a9
SHA1 hash: 5a9575d4176c11bc98bbcab2b581f8cf440b702b
MD5 hash: e47ba85363d968c98b4717c7c36022c8
humanhash: pasta-don-artist-cola
File name:e47ba85363d968c98b4717c7c36022c8
Download: download sample
File size:77'312 bytes
First seen:2022-06-30 16:16:10 UTC
Last seen:2022-07-15 03:15:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 1536:ODGgbh+psYzLL8ZY45zYXBAHvJ/5jkvVDShr6sVCUgcLYzS03K8B:VgbhsL8aizYmvt5j0OhrzCU+z/n
Threatray 86 similar samples on MalwareBazaar
TLSH T1B573F1913EDCC2AEC5FD4A711EA373A11EF8EA1E0EC1B64D5495024B6C939590DCBB8C
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 58cefacd6c2c6c1c (3 x CoinMiner, 1 x RedLineStealer, 1 x Stealc)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284639/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.410.3469.23106.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bdcc806ad95faf97e1fc2d/reports/d669e05e-e12d-46aa-b224-6a5ffaa7f42e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2ef850ad-3d7d-41c9-a381-57493c34d99c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1022724
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c/
Threat name:
ByteCode-MSIL.Trojan.RealProtectPENGSD
Create hunting rule
Status:
Malicious
First seen:
2022-06-30 16:17:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyojnycso3oxad3jzboz7xm7djzbs6qljieoln7j6k2pvhyjy4wa._file
Verdict:
unknown
Similar samples:
082525150d7aace7e21b3bfb469f86c2e7239593c50cebc143d7f8a66b898b83
0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34
35256002ef756a42079880ccdec95862e80830e69ebc56225f2b2a34ec28f771
3ebffe25deb8f02e10b07eab7085d67df052230f976c3a5b49ceb0df69e24b47
661b9359fb87ee27ecb4db4aab1ec3797d3bd500baa1cf59de159c4abdcb8f3d
796e9c213997e70666fed30ee167c31dedce7f1b98f83db4dd6c0caeb870fdc2
810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff
8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560
f1ff4fbaa6991440428ea8b228268b6ba82595aa8cdbcf2e7bb8a69835753b31
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220630-trcaraece8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Unpacked files
SH256 hash:
4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c
MD5 hash:
e47ba85363d968c98b4717c7c36022c8
SHA1 hash:
5a9575d4176c11bc98bbcab2b581f8cf440b702b
Link:
https://www.unpac.me/results/d3ed9ed9-8f61-46d6-8354-65f4b0808f06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4e1c96e05276dd700f69c85d9fdd9f1a72197a0b4a08e5b7e9f2b4fa9f09c72c

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2252733/
Cape
Cape
https://www.capesandbox.com/analysis/284639/

Comments


Avatar
zbet commented on 2022-06-30 16:16:15 UTC

url : hxxp://85.202.169.21/secbluezx.exe