MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

ISRStealer

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda
SHA3-384 hash:	b956af0fb8e57a9d1f4af201f1416ebc8a000b29983a54d62ed42b2ae4820eb274dcf3039e5d4768ae8ab3b942de79c0
SHA1 hash:	b14d0981eacceaa7d72ef52fea15aacd7df1a4fc
MD5 hash:	b192f4eb3271c0bfc58f5485cfa2b775
humanhash:	paris-oven-ceiling-aspen
File name:	SCAN001-PO-2 x 5kg HfO2.exe
Download:	download sample
Signature	ISRStealer Create hunting rule
File size:	661'504 bytes
First seen:	2020-06-03 14:25:58 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	12288:AI+Wl3fLXN4ws7kCEVh51abmiLzTpzvjkrvvGBjDJWZEHmmIWS2EWIbjZs2:AItZfaws7GmXEWIy2
Threatray	799 similar samples on MalwareBazaar
TLSH	CEE45BAD721072EFC85BD472DAA81CA8EA60747B831F5207942715EDEE4C997CF244F2
Reporter	abuse_ch
Tags:	exe ISRStealer

abuse_ch

Malspam distributing ISRStealer:

HELO: alliedsoyatech.com
Sending IP: 95.211.208.25
From: Bonyan Alfadil <sales@alliedsoyatech.com>
Subject: PO for 2 x 5kg HfO2
Attachment: SCAN001-PO-2 x 5kg HfO2.rar (contains "SCAN001-PO-2 x 5kg HfO2.exe")

ISRStealer C2:
http://amayapalmgarden.lk/wp-admin/cgi/PHP/index

Intelligence

File Origin

# of uploads :

1

# of downloads :

73

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-06-03 14:44:00 UTC

AV detection:

23 of 31 (74.19%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=msz2nlp2yxfik2qv3hakekcaavsqmvrk5fbdhiylfshdfj7wdtna._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

emotet

Similar samples:

38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea

3e0a5536a96d3ea0b97b034c193bcb933f2dd8dfc8e159915951ab3842630b20

68101d145825fc980210f1f56638011d98eeaf5c53fb734b62a80dac6489f2e3

7e6dc9928e049d75cd726d8542b39cf46afef0cfd37c8dcb968ea618aedbb696

944b633d92799fe6aeefae5de7945b6b0b69020ed669d9d7e68ebd80868771e6

973c6ca52f1749604a7ba4aeeb65e2e3ea610707651dd637199249bf4ba0b6ea

99e8e8f1ec69e184c986d1c35deb49f85df828936c933120edf58906c814ca53

a2966a3e5a7753ea245a9e5228cf96d631e15a3777a5b2550724bed0f646784a

d87c321887e33a1f90a29b21be81459835a725d9a056916b1cafaaacc06169f5

f0e180d5a00ca5ab5c375261bd3b986b3ef7b5474fb5935b64caa7f02fb02148

+ 789 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware upx

Link:

https://tria.ge/reports/201109-q27zdetm36/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 4a4e39bf9b1861a4c8dcb463c71e15b778db66660b7075400c99d844bf270cd3

exe 64b3a6adfac5ca856a15d9c0a22840056506562ae94233a30b2c8e32a7f61cda

(this sample)

Dropped by

MD5 04faed3d1be3861381d3069007e926c9

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 4a4e39bf9b1861a4c8dcb463c71e15b778db66660b7075400c99d844bf270cd3

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample