MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4
SHA3-384 hash: 1600329dea304940b798a1a44d02ade7f1c2eda2c1b54f0e2147cfc28b9079f30794ebf2f25639df766018fa42054441
SHA1 hash: a8c4007d7b15870aa9bd52ba9b50d9e98203a94a
MD5 hash: f2050093cc7b7a5d09f4c095e8314f0a
humanhash: shade-finch-autumn-sink
File name:f2050093cc7b7a5d09f4c095e8314f0a
Download: download sample
File size:1'338'293 bytes
First seen:2021-07-09 01:25:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:zFzw+ws51ZllRIV5/LnOB15ZIBB2BIPXT33Rnq9ZJ:xzw+ws51ZllRIV5/Ly5ZIf2BI7IZJ
Threatray 326 similar samples on MalwareBazaar
TLSH T1B95523722E656D39F6D03BBE11704A61D66A7C201624DBEFC7403A8E3FB2A035D1936C
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
thief-2.jpeg
Verdict:
Malicious activity
Analysis date:
2021-07-08 19:20:43 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/8190ec08-e002-42c2-b6ce-3c0977df79ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170588/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IntelRapid
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5097c261-bbc4-4f22-89b8-de52eb87ee82
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813821
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446232 Sample: BIFL5JNPPt Startdate: 09/07/2021 Architecture: WINDOWS Score: 100 76 Multi AV Scanner detection for domain / URL 2->76 78 Found malware configuration 2->78 80 Antivirus detection for URL or domain 2->80 82 9 other signatures 2->82 11 BIFL5JNPPt.exe 25 2->11         started        14 SmartClock.exe 2->14         started        16 SmartClock.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 11->54 dropped 56 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 11->56 dropped 58 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 11->58 dropped 60 3 other files (none is malicious) 11->60 dropped 18 vpn.exe 7 11->18         started        20 4.exe 4 11->20         started        process5 file6 23 cmd.exe 1 18->23         started        50 C:\Users\user\AppData\...\SmartClock.exe, PE32 20->50 dropped 26 SmartClock.exe 20->26         started        process7 signatures8 84 Submitted sample is a known malware sample 23->84 86 Obfuscated command line found 23->86 88 Uses ping.exe to sleep 23->88 90 Uses ping.exe to check the status of other devices and networks 23->90 28 cmd.exe 3 23->28         started        31 conhost.exe 23->31         started        process9 signatures10 92 Obfuscated command line found 28->92 94 Uses ping.exe to sleep 28->94 33 Altrove.exe.com 28->33         started        36 PING.EXE 1 28->36         started        39 findstr.exe 1 28->39         started        process11 dnsIp12 74 May check the online IP address of the machine 33->74 42 Altrove.exe.com 3 19 33->42         started        64 127.0.0.1 unknown unknown 36->64 66 192.168.2.1 unknown unknown 36->66 52 C:\Users\user\AppData\...\Altrove.exe.com, Targa 39->52 dropped file13 signatures14 process15 dnsIp16 68 ip-api.com 208.95.112.1, 49749, 80 TUT-ASUS United States 42->68 70 XKFhzuZwJRKmcLvfCrjxqTMmX.XKFhzuZwJRKmcLvfCrjxqTMmX 42->70 62 C:\Users\user\AppData\Local\...\frdehcvg.vbs, ASCII 42->62 dropped 46 wscript.exe 12 42->46         started        file17 process18 dnsIp19 72 iplogger.org 88.99.66.31, 443, 49750 HETZNER-ASDE Germany 46->72 96 System process connects to network (likely due to code injection or exploit) 46->96 98 May check the online IP address of the machine 46->98 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-09 01:26:05 UTC
File Type:
PE (Exe)
Extracted files:
49
AV detection:
23 of 46 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0ffa9641556c11890735aba122f4ebf94370fb4aab8c613f5025df7559214f51
1a20c5312e2fdcfa9ca5e23d886054b5dcf6435e205f806856317a9c91028cc3
2afd735ca5d2ad8a8478c4832e4827b150e30d5f0b7c1dc174ce934017ee1d76
2bb47d3ba37100ccb3b132f45defed5d389bc48f317d1aeed899aad8adbaadb4
3666dd8e3ce14a3b7273c405f7318402f3c2d203104966f326c3d93ee0d0570a
3b54060fd0010e7ae68bff0302358bf5464d784a12d1566bd69f403239a8723e
7525f2c1ccec025adb8f773ab10ecd9cee7bacec9949a7415ad239cec969bfb8
78917f8c2ce40501bb4bf955f14e9f96dea7aa003bc6d21611d6c771a7df6a16
b2ee06af075bcc9cb66e685417684c91df5cea6679a8ccf6608857dab0a46b50
fe0921df62f37332cab9e56fbbfe050e204e196e55eb323657c1f0469a6ff27b
+ 316 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210709-zn75r6m2ea/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
cae2af36f866fed9753ecc423bf1cfb3d1b5f2c3179dddc1715d6c896812d669
MD5 hash:
0fcc3d7408dfb7b31d8e36982dab298c
SHA1 hash:
6ebe13e8565ab5cfc7f8eac8973c156531b2a1e2
Link:
https://www.unpac.me/results/75e0be22-05bf-4167-abd0-2ac2228210e6/
SH256 hash:
c702f4ad0d759beb04b957c29fec6da9d751cdd9dcb32044526ba13c28435131
MD5 hash:
07f6488e2cb3bc511a94e6613c829a38
SHA1 hash:
e1076916858815fbbed3ebe1cf0c2057587017b7
Link:
https://www.unpac.me/results/75e0be22-05bf-4167-abd0-2ac2228210e6/
SH256 hash:
871d00bfb1788afb5f17512d710c7899e0a221e272aa3f5e7080e72460309cc2
MD5 hash:
b93eb54a6ed04db2d8f87f9272693e01
SHA1 hash:
4ceecd312d8dc9b5b99a7f7b08760c81f1e27010
Link:
https://www.unpac.me/results/75e0be22-05bf-4167-abd0-2ac2228210e6/
SH256 hash:
6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4
MD5 hash:
f2050093cc7b7a5d09f4c095e8314f0a
SHA1 hash:
a8c4007d7b15870aa9bd52ba9b50d9e98203a94a
Link:
https://www.unpac.me/results/75e0be22-05bf-4167-abd0-2ac2228210e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6e3bf07d961efc686017f48cf2f847072cb35699dc24e44287d9e01274814ad4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1437562/
Cape
Cape
https://www.capesandbox.com/analysis/170588/

Comments


Avatar
zbet commented on 2021-07-09 01:25:36 UTC

url : hxxp://otiavy06.top/downfiles/lv.exe