MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c
SHA3-384 hash: ae5608898e6647d03f61f36efcea035076473aaee56ca393b54b9fcd2225fa2651fa8e736861da55a60c10126078361e
SHA1 hash: 6630a7aaafcb5bc47240ebdbb4233abf5f353ca8
MD5 hash: 829775bde5f5559e2948224d8a4e5ef9
humanhash: lithium-jig-louisiana-oregon
File name:01.exe
Download: download sample
File size:110'592 bytes
First seen:2022-03-09 12:15:53 UTC
Last seen:2022-03-09 13:36:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:yeKhxSQtiBv0b1WjiZ1ONa+pSPPZgcd+:yxaQtFb1WjiZ1ON5SP2
Threatray 718 similar samples on MalwareBazaar
TLSH T1B4B30906214FB7B5CDE646B99BB0F65402E36D07FBB39A397014FF1834BA72698520E1
File icon (PE):PE icon
dhash icon 718e030f0f038e71 (1 x Arechclient2)
Reporter r3dbU7z
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Arechclient2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/248631/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39152227.2927.11130.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
DNS request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62289a85b94fb38cb4473fa2/reports/8d9aec08-c807-4cbc-9229-66f650ee53c4/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5fc45d14-10e8-4069-af06-afb1f9c01853
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/953266
Signature
.NET source code contains potential unpacker
Encrypted powershell cmdline option found
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Encoded PowerShell Command Line
Yara detected Costura Assembly Loader
Yara detected MSILDownloaderGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585747 Sample: 01.exe Startdate: 09/03/2022 Architecture: WINDOWS Score: 80 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected MSILDownloaderGeneric 2->27 29 .NET source code contains potential unpacker 2->29 31 4 other signatures 2->31 7 01.exe 15 3 2->7         started        process3 dnsIp4 21 cdn.discordapp.com 162.159.133.233, 443, 49778 CLOUDFLARENETUS United States 7->21 23 tiny.one 188.114.97.7, 443, 49777 CLOUDFLARENETUS European Union 7->23 33 Encrypted powershell cmdline option found 7->33 11 cmd.exe 1 7->11         started        13 powershell.exe 7 7->13         started        signatures5 process6 process7 15 conhost.exe 11->15         started        17 timeout.exe 1 11->17         started        19 conhost.exe 13->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-06 00:48:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
21 of 42 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
2430ab1a8b5c4c36c66271987d5759ac50272bd98fa6d3ba9d0d2863e27c242d
37f622dd2b5e534ac844fd9d8f61781a9ebcbdebd44741ea219df4baf0196bcb
44282dbf84b4ca3da5ca238140e9aaee406fc342b459b9d27fea581802287ca5
5d3c5823083a457fff3bad4d6339992023bf6ab0e188b1b800a80b8e28ec1fd5
81a038c68cad70842103b529b57dcc860a17d2da9d3fca4a76767d26c4d868d4
b27c477d35348333fe29119d3f5c6f4418e6a6f842aee983d819274a1e18021e
cdcb92f83216720f2d567392a6a4d9bc1b90b3f900b783934a402d310ae5ff46
d897279f21d4e5e36d89eb1eba9dcf995855a076d1578c644ff1726fc11d3d8b
ea7e4e307e47c6fc4a115de164fc75258e7051ec14dda264563cde054e31610a
ea930b3655ed7afd7121e9ed20477a2b1849a7bb2a3f51d5b67697dc1614202c
+ 708 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220309-pff3cabcbq/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c
MD5 hash:
829775bde5f5559e2948224d8a4e5ef9
SHA1 hash:
6630a7aaafcb5bc47240ebdbb4233abf5f353ca8
Link:
https://www.unpac.me/results/22c61a71-a7bd-4119-aa54-13fe66b85a5c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 686d56d6a2903bf7b2f9710f308046a91f5f9082db14a7470f93a59e9939ec4c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/248631/

Comments