MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac
SHA3-384 hash: 4d51ba85117daf5a37fe4bbc62289068deca977cf8dd08ba78ecc4168a78d5c3e6d9632ddfbb3dabeef6d547fe67a53c
SHA1 hash: e3769715c0a29b88f06b4c565df7f436624454fc
MD5 hash: b53323fe8759b223cceb0c6e4181cb4e
humanhash: september-avocado-sad-jersey
File name:file
Download: download sample
File size:464'896 bytes
First seen:2022-11-19 17:42:58 UTC
Last seen:2022-11-19 19:34:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kWi7ytiQJ82akxIIgmItMUFgte3A6pHadZFy6UTu:kZ+tHJ8wIImHgtetQNy
Threatray 4'715 similar samples on MalwareBazaar
TLSH T17AA4C01A7A698E01C3992E70D1E355356BA1E5873273F34E2F9972E21E133F48E493D2
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter jstrosch
Tags:.NET exe MSIL

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-19 14:58:04 UTC
Tags:
loader trojan rat redline
Link:
https://app.any.run/tasks/ad7e6816-9ac4-4d15-90e1-89cbceec7c3b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/336165/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.1186.586.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/637915aae64742f53c104371/reports/9af5c24a-053f-41c3-a702-7fa486addd72/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53bfbfde-0135-46ec-bf93-56aa0903b689
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1117271
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac/
Threat name:
ByteCode-MSIL.Trojan.Startun
Create hunting rule
Status:
Malicious
First seen:
2022-11-19 17:43:14 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
13 of 25 (52.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lta556zvmhip2kighg6i57m3jw7gbdy5oyp3mljb6fyk2aibzcwa._file
Verdict:
malicious
Similar samples:
1c2ed8e471b06a7dd81de32ff5d02284fe83e37f94beb4e6e033ba06b93c0729
2201eda7898979f08187156740f0e2b9012da6d51f0905c3122b95c39bade49f
55062426c1293d24d180597db4abc81a94f3d465d63032bf6c74ad3a0e752043
8c22efa05796adfd02686772b5c1f31acc61985890de50b8bdea7c25c348782d
8c88e83a7d8ecdc337997e822c9ed368d6fe3bff0ff4e3b4b1b55a0cabeb09f1
b541c7be67db127dfc53c8b8830d80d99a7389b1b40815057a4f4cdb64f37691
dc1434e6bd3de66b0bcc6f06d93c68ce95a5c6699445f2adc5d673cc1ad73c68
+ 4'705 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221119-waka5sda33/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/db0eda1d-a7c8-42eb-b384-223c15fa3a9f
Unpacked files
SH256 hash:
ee65267ff7c74c3762bd51b3634f74850691c2f4308dbc32c2be046622295bbc
MD5 hash:
27aab47e5f78adeaf722b334bfce1e05
SHA1 hash:
d23839a9d276d904636457208fbd53284918bfa6
Link:
https://www.unpac.me/results/2ad0e420-c225-40da-a864-1be734c66df3/
SH256 hash:
f00ade89270423ccfa29e982c573435a43ee7445e3649a4eaf40f1114e1c4890
MD5 hash:
c236c7d510f678fdf13bb3ac199b75b0
SHA1 hash:
5f8fec17ce06d13a8a54a4e0491934864734b069
Link:
https://www.unpac.me/results/2ad0e420-c225-40da-a864-1be734c66df3/
SH256 hash:
5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac
MD5 hash:
b53323fe8759b223cceb0c6e4181cb4e
SHA1 hash:
e3769715c0a29b88f06b4c565df7f436624454fc
Link:
https://www.unpac.me/results/2ad0e420-c225-40da-a864-1be734c66df3/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5cc1defb3561d0fd290639bc8efd9b4dbe608f1d761fb62d21f170ad0101c8ac

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/336165/

Comments