MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a
SHA3-384 hash: 9867fc815bd155a1d250d4b4a2afa30a131e7b37ea8d647c0b3edf83d9c83cd13a057df3457d4e7d533336ec6b3a456b
SHA1 hash: 35f1f6fd8c8a0dd39ad501a8e2f3eb886352ae58
MD5 hash: 4d103ddc1056730680997587a7080cd2
humanhash: cup-wyoming-six-lamp
File name:DSG2011001_INV+PL.exe
Download: download sample
File size:29'696 bytes
First seen:2023-02-10 07:10:35 UTC
Last seen:2023-02-10 14:02:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 384:z4kzOm6jvhorO3NnyshMP9Nkyn5PlK3S31BgzKyl8cBKNNqJ++SwcE3jk8O4B9lc:zkPWfTyBKPxwR9HStWDPhEpvEZQ
Threatray 1'098 similar samples on MalwareBazaar
TLSH T107D2191576FC5B27F97E27FA84B1228043F6B7AA1411E74D2DD4B1CF1CA6B014221BAB
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
9
# of downloads :
181
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DSG2011001_INV+PL.exe
Verdict:
Malicious activity
Analysis date:
2023-02-10 07:12:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/132392fc-86a5-4715-b0d7-07052610e1a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/363230/
Detection(s):
Sanesecurity.Rogue.0hr.20230210-0034.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63e5ee08e40327f8799aa321/reports/1bf66c93-69a3-43f3-8d94-a94a15fd9a06/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f5c3a88c-c930-468d-9615-6e3f39def51b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1170927
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a/
Threat name:
ByteCode-MSIL.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2023-02-10 01:44:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mzskcgvakvesx3zowtlyymddq6o33il6mf4fc73mkll25kvaceva._file
Verdict:
malicious
Similar samples:
41955ff332c22ffa3c2014f4bdffc2db6b5ae75d8289df443929a507dca525cd
4fe523babbfae3a14393d7b07afbbfc13be4f5084dba9588adb38913b3527c36
66bdde9f427859cc6b7cc1ff67bdf9d93ff8b0d7bc226185cb2195c746e28a0a
67ffb10d7ef8cc9b49ef3ad7affcd7f865391cac2cdbad7ae1d259ec6a4a0cb8
b77a024602ae648ad80a3fd49f08a26b99c377b81b189b60f474437ab13205b4
bac6488f76da4691540401614bc665dfc5bec8d875cb26e72870c65ac43fe268
bbea7541f726c2ecb8eebbc87f6f52b50db57a836571ae9b0f1fd91dfb653b48
bc8560177aa43a687207e68c27c1c9378eb6fff83e61d279641c9256d79ea055
+ 1'088 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230210-hzyceahb52/
Unpacked files
SH256 hash:
6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a
MD5 hash:
4d103ddc1056730680997587a7080cd2
SHA1 hash:
35f1f6fd8c8a0dd39ad501a8e2f3eb886352ae58
Link:
https://www.unpac.me/results/f6c45641-b8f6-475c-b72c-e2cd7d672df1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 42c1c4d53d633549626f33b20823f6b56a8a1b5a5784ef46a1dba6c9ae2f91ca

Executable exe 6664a11aa055492bef2eb4d78c3063879dbda17e6178517f6c52d7aeaaa0112a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/363230/
  
Dropped by
SHA256 42c1c4d53d633549626f33b20823f6b56a8a1b5a5784ef46a1dba6c9ae2f91ca
  
Dropped by
MD5 71b4c6f45a112b640a2c9fdc0d913504
  
Dropped by
SHA256 f88ceec9e066e83aa62889ce9e41ff1a5b99d95cefa14dd4fd8dcb9124e92ff2
  
Dropped by
MD5 b4ef1b34a1e441812d67b780de24482e

Comments