MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce
SHA3-384 hash: 31c150cd85b600204230add1230d08e623f6430013c2c6118a2c83d3279b9c0192e663c421335904c17fa42137a83ef8
SHA1 hash: 72d6003e85c3a271b6e8bd06c24a503d3a609040
MD5 hash: 293d407e9b6637e6524b28b407fafe1e
humanhash: angel-don-mango-winter
File name:293d407e9b6637e6524b28b407fafe1e
Download: download sample
File size:773'632 bytes
First seen:2021-12-05 01:11:29 UTC
Last seen:2021-12-05 03:08:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:7tIp9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q:7W8m657w6ZBLmkitKqBCjC0PDgM5A
Threatray 216 similar samples on MalwareBazaar
TLSH T105F45A0623F88F26D2AF1735B8305A1997F6F407A2B6E7CF6944D5B81D677A08E00367
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
293d407e9b6637e6524b28b407fafe1e
Verdict:
Suspicious activity
Analysis date:
2021-12-05 01:14:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7fcdfde1-8864-4b4b-afc4-17a67221ec29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211391/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38191370.4553.20068.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% directory
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
monero obfuscated obfuscated
Link:
https://www.filescan.io/uploads/61ac11f84d8e6f3a5e10cefa/reports/c92f0ee1-3db7-4d4e-a4c3-c426ab3f0eac/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4673b699-75dd-4b9f-a35d-092ec5795085
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/901544
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-12-04 20:26:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
044b42b8f81ceff503fa504db9a10cc09dd22c456b5c79370a2165fe97bdcdc5
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
25c3bafe1a3b624a4ace62710560bcd09df4f39b0e1d5a85aa0a1f715b20d28f
49109a49df93b6624b2ddbc0f64038ae42b16fee070844d19c1a5c27d4b7764d
76ff41be8f7f15dbb035fb27ad00cbd313d0d75745945b81642f10986fc83ffb
88c93fb2359cc5f0da6886983c67d923955d210daf5a458e382d024124a67458
b97bd972288c26f8eb5b51e18bbae753ddae9a8cd2720fa45a975e764a25efaa
fe65170a6f6cd5ba0df997262bca40350b650067db206bc83bfaf80da94bba9e
+ 206 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/211205-bkpy6abhcl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Looks up external IP address via web service
Unpacked files
SH256 hash:
57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce
MD5 hash:
293d407e9b6637e6524b28b407fafe1e
SHA1 hash:
72d6003e85c3a271b6e8bd06c24a503d3a609040
Link:
https://www.unpac.me/results/081678d3-9a08-4b96-874c-cce02486a75e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:XOREngine_Misc_XOR_Func
Create hunting rule
Author:smiller cc @florian @wesley idea on implementation with yara's built in XOR function
Description:Use with care, https://twitter.com/cyb3rops/status/1237042104406355968

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 57bad7724a2683a2672f01d97aff7a5b247aca56f9e950009c1469407ee503ce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1852875/
Cape
Cape
https://www.capesandbox.com/analysis/211391/

Comments


Avatar
zbet commented on 2021-12-05 01:11:31 UTC

url : hxxp://host-file-coin-4.com/files/2255_1638620340_3669.exe