MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef
SHA3-384 hash: ad4c3bd3c9b511a10a9d07838c3f6e3a5cb05682880ed47a3cd7baf04e35b32c2e1994f11aab68aa434f0959c51cb792
SHA1 hash: 4d50578c6ff80b34d10f37e289080d062567cf2c
MD5 hash: 638ab205eea4df79bd04a5b7825c59f1
humanhash: six-princess-lemon-september
File name:fil.exe
Download: download sample
File size:663'552 bytes
First seen:2022-06-15 13:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:I2iNeHqk1jeDz2d3uygbYcM3u+AZcVCK5XLzB90uPNLHxa/WuOx3x:I1cHDjeDaBjcDMZ
Threatray 2'826 similar samples on MalwareBazaar
TLSH T104E48CAC362C75EFC857C572AAA81C64EA2434BFA75B51179423059E9E4CB87CF240F3
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter madjack_red
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fil.exe.bin
Verdict:
Suspicious activity
Analysis date:
2022-06-15 03:10:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c9d724f-45a0-4aa5-9671-9171c1e27a70

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/280186/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file in the system32 subdirectories
Sending a custom TCP request
Launching a process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a9da51f2cc5c4fd9dfd8eb/reports/c3784a24-567e-4780-a4b1-7a98a0fb871c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/085c1b38-9cce-4137-9c32-f8bc413c5f8e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1013694
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-06-14 13:08:18 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lgo5xifnvaexx53l7qiudbu5tdhor4pjbkp62mper7lvfijxk3xq._file
Verdict:
malicious
Similar samples:
37a192054be028fdfc82f70ea2763155a3b4f46b64ea2970ad044b39f00f4d06
4b43870c6b65e05789acb91fad8e94c8b8d3624cb8424e0a99abeca2be7020d9
56288de1614c45a260868392454f459af7f99d1d9b1d2d0aa07bb88c63412a19
77d8b86738c752ab77f79106aab74b11253cfa84fbcc3bb09de4b7c28276a33d
7e08756edb336543ee9414c648c8c5d11f8d2905f8cea811a862a6b5368fd365
+ 2'816 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220615-qc7xbsfhej/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696
MD5 hash:
39f524c1ab0eb76dfd79b2852e5e8c39
SHA1 hash:
428018e1701006744e34480b0029982a76d8a57d
Link:
https://www.unpac.me/results/e98793e9-70b0-4de8-aef8-aed13866e9c0/
SH256 hash:
599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef
MD5 hash:
638ab205eea4df79bd04a5b7825c59f1
SHA1 hash:
4d50578c6ff80b34d10f37e289080d062567cf2c
Link:
https://www.unpac.me/results/e98793e9-70b0-4de8-aef8-aed13866e9c0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 599ddba0ada8097bf76bfc1141869d98cee8f1e90a9fed31e48fd752a13756ef

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/280186/
  
URLhaus
https://urlhaus.abuse.ch/url/2240126/
  
Delivery method
Distributed via web download

Comments