MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64882106efa5e4e6e169f60b962f6240c4f61e4361d4588d3119c37316d1b651. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64882106efa5e4e6e169f60b962f6240c4f61e4361d4588d3119c37316d1b651
SHA3-384 hash: 29e843bb4682f5086bcd631a72507539699909d79b7df8f25ba89b90690951390c7f1bccea03a18ceeccb3a3e627de42
SHA1 hash: 0382755c5398bc36d788d33c9c70d90763405c9a
MD5 hash: 64220e313c52635c8ca6c8a20ea990df
humanhash: march-video-avocado-red
File name:Linkphone.bin
Download: download sample
File size:427'536 bytes
First seen:2020-07-15 08:00:31 UTC
Last seen:2020-07-15 09:11:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 6144:1eUCOkJzmUzp36btl6F/cHD4qVpvUtcmN0ccHcGMAJ1XXHLr129DLRncy6oPk8tt:1tCximpF/mkwpvUCmgcGj1ktLRcy6OL
Threatray 104 similar samples on MalwareBazaar
TLSH 119402027B607731CAF74BF40AE494228BB5BA668871E35D4CD939CF1571F608AA1F27
Reporter JAMESWT_WT

Code Signing Certificate

Organisation:Symantec Time Stamping Services CA - G2
Issuer:Thawte Timestamping CA
Algorithm:sha1WithRSAEncryption
Valid from:Dec 21 00:00:00 2012 GMT
Valid to:Dec 30 23:59:59 2020 GMT
Serial number: 7E93EBFB7CC64E59EA4B9A77D406FC3B
Intelligence: 85 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0625FEE1A80D7B897A9712249C2F55FF391D6661DBD8B87F9BE6F252D88CED95
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25907/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.58782.22836.1192.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Self-deleting of the BAT file
DNS request
Sending a custom TCP request
Possible injection to a system process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file in the %temp% directory
Deleting a recently created file
Moving a recently created file
Creating a service
Launching a service
Launching a process
Creating a file
Running batch commands
Creating a process with a hidden window
Enabling autorun for a service
Deleting of the original file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64882106efa5e4e6e169f60b962f6240c4f61e4361d4588d3119c37316d1b651/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-15 01:49:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
12750a545215e41d452a16e1c451f0e0682a5330078813313b67cd09499ac674
3bb1bbf49c6e224032025dc7dacb3862e8b16c8b39e5cc19c5aceda4dbc917d9
496b5885ff8f521c91ca037338e188ea0374bf86816d0c804d3010fd2f5fec38
6ed8e078433a7e7938f2084f83a640d707708ac99a246b31736bd22327664668
8a4214d3c69df6a10e057fe1071e6bbb2ebd463bf3e73b9c66c3cbf3f31839b2
99ee06f5fb4f0aa90678d6a6405d2d01138bcd128c6d2aabecda07c110361ba2
aa8c5d42026ac9a483f1984f762441d7f5805ef914819b473f9e15353995cc99
e81e9dfe89a98449992b1ca9e4acb9905b606dc3de186b9de94241bde3b230be
e8bcd430d48c430ced6992340cbce21ffc1a4d8cc60e6255b76870d33a5ea6b9
fdf29de5bc715feaa80709bdddd59b8293aa538d257ba9dd6a287d065ecb68a8
+ 94 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion discovery persistence
Link:
https://tria.ge/reports/200715-t6x724brna/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Modifies service
Checks installed software on the system
Checks installed software on the system
Loads dropped DLL
Deletes itself
Loads dropped DLL
Sets DLL path for service in the registry
Sets DLL path for service in the registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 64882106efa5e4e6e169f60b962f6240c4f61e4361d4588d3119c37316d1b651

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/413070/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/25907/

Comments