MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106
SHA3-384 hash: 4d4a3540a1052c86b14af1e431b1e29eb6880bf53168c8f23d6013c6a1999bde3243b3aaae9c8503dce55ed75d396db4
SHA1 hash: c1eb86208b141939796eb798f4fc7b6ae453d918
MD5 hash: d7a5f0fbd8a2b6227484c9df11ada0e6
humanhash: oklahoma-neptune-comet-michigan
File name:234567890004234567890.exe
Download: download sample
File size:1'567'744 bytes
First seen:2021-10-07 06:45:29 UTC
Last seen:2021-10-07 08:06:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:973K8D54R3ubyoYIMYggneB0Jc4E9pFYtgXeYtVFB0x:9zbU3ubLFKcj8YtKFyx
Threatray 55 similar samples on MalwareBazaar
TLSH T1B175F13D75C17C7BCB7EC23D8CA68D341D911A470C80699E7EE129FA4CA7640BE47A68
File icon (PE):PE icon
dhash icon 5145032317177149 (1 x a310Logger, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
234567890004234567890.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-07 06:57:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dc7de5cd-3891-426f-a96d-255ac83fab5c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195625/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Androm.1.30670.861.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated obfuscated packed
Link:
https://www.filescan.io/uploads/615e97b5b95458900cddddbe/reports/859af9b9-a740-4963-a778-d9bafc78dbde/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866065
Signature
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 498495 Sample: 234567890004234567890.exe Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for dropped file 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 8 234567890004234567890.exe 3 7 2->8         started        process3 file4 22 C:\Users\user\AppData\Roaming\...\payload.exe, PE32 8->22 dropped 24 C:\Users\user\...\234567890004234567890.exe, PE32 8->24 dropped 26 C:\Users\user\...\payload.exe:Zone.Identifier, ASCII 8->26 dropped 28 3 other malicious files 8->28 dropped 44 Creates an undocumented autostart registry key 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 Injects a PE file into a foreign processes 8->50 12 234567890004234567890.exe 15 2 8->12         started        16 wscript.exe 1 8->16         started        signatures5 process6 dnsIp7 30 checkip.dyndns.org 12->30 32 checkip.dyndns.com 132.226.8.169, 49857, 80 UTMEMUS United States 12->32 34 freegeoip.app 104.21.19.200, 443, 49872 CLOUDFLARENETUS United States 12->34 52 Multi AV Scanner detection for dropped file 12->52 54 May check the online IP address of the machine 12->54 56 Tries to steal Mail credentials (via file access) 12->56 60 3 other signatures 12->60 58 Wscript starts Powershell (via cmd or directly) 16->58 18 powershell.exe 24 16->18         started        signatures8 process9 process10 20 conhost.exe 18->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 14:09:27 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lohtsvvmfpqh7z3t3hbjjzolvuewrz72thc7n7k5dbgkuujmkeda._file
Verdict:
malicious
Similar samples:
13404bd37fb5ffbe300e5875febb1934d03344f4c6e7dbc0d2dc2def3253ef34
2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
3023261456361410fc8e6f5ec4c22d0c2aa7d02fd62148de20819945e99a86a3
3554f11996cf0ec2e3541b07c9460a5da109d65117795f7e1a12727184b9446b
683de9f06f811629c5ff539256f0674ddcf03a60baa60783e8ef2dc1496d8b7c
8c44a80c5b7ef52d01a5828c26fcbbb99b3e9d85509806cebd4e4b3f10c902bb
ae025c9c90faa47f899e3154fde3917187f1332962729da17e29353e0afe50f3
b3e18d1026779e01b6bc834a8da488eeb669e5e366ef8d495c109c0f1424d3c1
d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd
e27ae78e140dba266fe075c4f1d9c15f864b9736a37200167cd294208f052199
+ 45 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/211007-hjpekabhf6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c8650b92c9ee5b75e1692ab5c0636be0d227aab6603946aa08801d833725c2f2
MD5 hash:
fb5b42e3215b380c494ac73c824576d0
SHA1 hash:
3c31f08a2cb617c9d0ff98a2b8fd778a5ed2b90c
Link:
https://www.unpac.me/results/fe6991c9-eced-4d68-92eb-e2df3dd707cb/
SH256 hash:
9d6438be17052e09ae74f5e43d3b57a668ffb0e5197e83e00f0b28ed9bffcb45
MD5 hash:
00f45b7a415e129fb82055aa22ac081f
SHA1 hash:
cfa6dc58331d4a4cc41b56d012c0d86e0f2a116e
Link:
https://www.unpac.me/results/fe6991c9-eced-4d68-92eb-e2df3dd707cb/
SH256 hash:
5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106
MD5 hash:
d7a5f0fbd8a2b6227484c9df11ada0e6
SHA1 hash:
c1eb86208b141939796eb798f4fc7b6ae453d918
Link:
https://www.unpac.me/results/fe6991c9-eced-4d68-92eb-e2df3dd707cb/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5b8f3956ac2b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/195625/

Comments