MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5303d0b00592274902d1bb42486dced975ac201463869494cb48a1c8c41e95ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5303d0b00592274902d1bb42486dced975ac201463869494cb48a1c8c41e95ce
SHA3-384 hash: 69e871202477435f418f9a65e154a250aabe32fe706383a3a7ec3075388351b8f2b1ea97cb91c7f2b0762cfdebac76f3
SHA1 hash: e4b872f5428b3fcc0757004b2cfd5fc0f6a4901f
MD5 hash: 63d9b135621301a1ac82b1e9b907a0e3
humanhash: sixteen-blue-arizona-johnny
File name:scan2289_RDH000426715.exe
Download: download sample
File size:276'992 bytes
First seen:2020-06-03 04:08:44 UTC
Last seen:2020-06-03 09:37:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:qAaUxhNMJx1Mp1rjebV7Nr6JD6u8w/CpLm2igJPIQqJf1oFCrL391+ondYJWPnsJ:raUDG3Kp1r6VEJD6Lp+VLOQVPM58
Threatray 653 similar samples on MalwareBazaar
TLSH 7B446B1632C95821C5BE0633263657C0E776AE053683E71F78EE23185F3724A7B1AB9D
Reporter jarumlus

Intelligence

File Origin
# of uploads :
10
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 05:33:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kmb5bmafsitusawrxnbeq3oo3f22yiaumodjjfgljcq4rra6sxha._file
Verdict:
suspicious
Similar samples:
03858ed158440d03ed25802a74b88cc2091960e35ded3901d4d0370c88a38d9f
08f7d226c61cc7f24dfc55909238659ddf5c09f47127f348322c2d8636cdca1c
18db348d2bc13a33da2eb37da197acc9072aab8a006ee052e5bfbc57ffc99cee
391ea7416464160ef2c7471149d584e4ae9cbd9fa2062cd4319481db7cf82cf3
52054471a155edf2779e397464d81796b16de9f44476388591dd91a9ce136df2
6d415497a3d0845048c1ccafb82bf70283dd6976dbabb8f1cf639b9780571a40
b44ef73bf2306886ca92291cbbdc5b0d07d6878f9a1b3c84ce476ca69cc4532e
e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3
f0d6e0d054cdb2a4795f1aa9761613d3dd829ca5529e63b93b75c12c2554507c
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d
+ 643 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet persistence spyware
Link:
https://tria.ge/reports/201109-9rryt1j9fe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip e2480b64a9e77d667b3ea678f55a382c2b1c2bc3dd192ddd41f0ebd7a31934be

Executable exe 5303d0b00592274902d1bb42486dced975ac201463869494cb48a1c8c41e95ce

(this sample)

  
Dropped by
MD5 9c1e65d34cb45c92cd58886d7255251b
  
Dropped by
SHA256 e2480b64a9e77d667b3ea678f55a382c2b1c2bc3dd192ddd41f0ebd7a31934be
  
Delivery method
Distributed via e-mail attachment

Comments