MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc
SHA3-384 hash: 57691794e706aaddc3bed0b385cfad160aec5ff38cbe60e2dbbb69d70de8309c15fa2bff8eedb03797c7f84e939e727f
SHA1 hash: 19412af91a5a25633ef03f783d93895bd8596d31
MD5 hash: 86ceb768df96c85553dd3b502da20e02
humanhash: fifteen-golf-ack-cat
File name:86ceb768df96c85553dd3b502da20e02
Download: download sample
File size:173'568 bytes
First seen:2022-07-13 10:25:40 UTC
Last seen:2022-07-23 02:54:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:XjgTHxochmAMJiQ42MS3DsTE7R5KS+o1mTdK5n7XliG2o/F9fU/9VTiOyiyuiSnH:zexPo/3oYl1qKxXZ2cfU/7nNF
Threatray 181 similar samples on MalwareBazaar
TLSH T175048049B128E409DAD47538AFA1D9B51331AE9C6C195B2638EC7FDF3AFD20B25017B0
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
86ceb768df96c85553dd3b502da20e02
Verdict:
Suspicious activity
Analysis date:
2022-07-13 10:36:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/593ccf61-6aa3-4a9c-a583-5ece9d62155c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286932/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.23677.32091.22957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62ce9e04d6d93426cee99931/reports/cd86b97d-b2ca-4aff-8f6e-0ee27484a66b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ec182e1f-ef4b-4130-8141-c6160a62bff9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1030071
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-07-12 07:52:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kskjoke2xjje5bppcsr2sy527b6rhtnz25f4grl7tpzcdxjse7oa._file
Verdict:
malicious
Similar samples:
1504ce4556cda171b2defa751e68ac51f67ea1e18cdd64fa080da56fd2635f39
5adb4cea36b31385d66787ec1a8b686704e9c85793fb8aec0be8ddd7f12fcd0b
7f233c359a87f2297461762b17623d848340fbbbe9cba6a7823216199917f2a4
db50d646494970b78887d4d84f52147c4cdbaa0b23cb4eb330ffa2403735937c
df26b54b984ae1b94fecde99e7b0513a305164f9000929d3467a95d16e33667d
+ 171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220713-mghlfschhq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc
MD5 hash:
86ceb768df96c85553dd3b502da20e02
SHA1 hash:
19412af91a5a25633ef03f783d93895bd8596d31
Link:
https://www.unpac.me/results/9d7f8d8b-8aa4-4210-bb83-1dfe7aab8f69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 549497289aba524e85ef14a3a963baf87d13cdb9d74bc3457f9bf221dd3227dc

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2256964/
Cape
Cape
https://www.capesandbox.com/analysis/286932/

Comments


Avatar
zbet commented on 2022-07-13 10:25:46 UTC

url : hxxp://107.172.76.179/shini/Ruhxovsn.exe