MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65
SHA3-384 hash: c529e617adc06d8a74940249e3bd2a4911f75e9bf0da72fa03f1b94d5c0da600d0d553c88c4b1a49f871120d0759be52
SHA1 hash: 8f45d5319e8e08be8fb83e26b29f46c2e4990568
MD5 hash: a367b89167b2b8a418104409936e6c6e
humanhash: india-mountain-kansas-delta
File name:67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65
Download: download sample
File size:453'120 bytes
First seen:2021-02-23 15:29:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 6144:/TG3ifLx6KHo/jFvn3DAnmbd0tGXrSybsYcr04dqlGUqqDL:/SMx6KHutFd0trybsYK0RIxqn
Threatray 30 similar samples on MalwareBazaar
TLSH 8DA43DEC1B98ED21D5AD2272B0C4306C27F7758ADD69EE696EDBD08838433E124E151F
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118663/
Detection(s):
Win.Packed.Enigma-9832639-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file
Launching a process
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Sending a custom TCP request
Unauthorized injection to a recently created process
Setting a global event handler for the keyboard
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/615855
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356936 Sample: AZjP1E0nRZ Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 12 other signatures 2->57 7 AZjP1E0nRZ.exe 1 18 2->7         started        11 RuntimeBroker.exe 2 15 2->11         started        14 tJPIuKvlkoCFCHFqOfKNzmbQdrfRn.exe 3 2->14         started        16 wermgr.exe 2 2->16         started        process3 dnsIp4 37 C:\Users\Default\RuntimeBroker.exe, PE32 7->37 dropped 39 C:\Recovery\RuntimeBroker.exe, PE32 7->39 dropped 41 C:\Program Files\...\RuntimeBroker.exe, PE32 7->41 dropped 43 7 other malicious files 7->43 dropped 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->67 69 Drops PE files to the user root directory 7->69 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->71 18 wermgr.exe 3 7->18         started        21 schtasks.exe 1 7->21         started        23 schtasks.exe 1 7->23         started        25 3 other processes 7->25 45 cn31017.tmweb.ru 92.53.96.116, 49724, 49728, 49729 TIMEWEB-ASRU Russian Federation 11->45 47 ipinfo.io 216.239.38.21, 443, 49725 GOOGLEUS United States 11->47 49 192.168.2.1 unknown unknown 11->49 73 Multi AV Scanner detection for dropped file 11->73 75 Tries to harvest and steal browser information (history, passwords, etc) 11->75 file5 signatures6 process7 signatures8 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Machine Learning detection for dropped file 18->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->65 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-02-21 21:16:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
33 of 48 (68.75%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1840872e8117b0efa252bc324ae2944d5c5b9242c928e3a568ccde06354eec35
6cb630a1d7847f05f6ed4fff7f861973040de763f2e192ce8fd1e6649de101a9
71f88e8c4b70c78ba9ab63ce24044701518380aed406b02e718ed90de7c67edf
9410e496d1a29876d153d83af6cf3ffb21d7d072b476d6a8a28497e4b5f4ae63
9a080e918c88adb048ffca38c0604318eee80e19be5a578186a63cdd64d45a41
ada0493109fcfa84a332ad136f04a96ca7eadc323b57cdce2e6fe3066c37321e
c0258a01a5881d1f5de632d7617a0e225173696db23fb99f72ea1c84e6be396c
cbf5df7f33dba3c2a8ef527d3be5cfaf68a05e8a45366a5e2389ef6758c6fc85
e7a5d0ba8bd504c770d04e59ce0fae3b386f7d60cc8c70ecc2afb6855631898b
f6a307d243c407c27489de37adac83e9205be531cbb4e2cb71545627faf813fd
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/210223-3kezjxs66j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Looks up external IP address via web service
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65
MD5 hash:
a367b89167b2b8a418104409936e6c6e
SHA1 hash:
8f45d5319e8e08be8fb83e26b29f46c2e4990568
Link:
https://www.unpac.me/results/7349cf33-4c5d-4b19-830f-2b2a503b2d23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/67e810f974c62d9a196316f3dd91773091249185269db8cd92c4c54ca2270d65

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/118663/

Comments