MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 7 File information Comments

SHA256 hash:	71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987
SHA3-384 hash:	6466d308e2c29144ed1b053228b24928cb5976dd0b9850487932f02898f1fa7950901a376f7e70620b9c3b22ede67d67
SHA1 hash:	439204b6c95b04c16dbd7ff521a7356d9c056f75
MD5 hash:	49f4ab595618ff1018721913a167f322
humanhash:	three-freddie-johnny-fanta
File name:	519807543900.exe
Download:	download sample
File size:	896'000 bytes
First seen:	2024-12-02 06:52:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:VNEAR9MSTBgWFkoPLyN0HSNkugTEXylx:Ms9f3FpDO1wlx
Threatray	4'038 similar samples on MalwareBazaar
TLSH	T15E1512582746DA02CA9497B81EB1F2750BBC2EDDE501E2034FED6DEBB836F105D94293
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika	pebin
Reporter	lowmal3
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

519807543900.exe

Verdict:

No threats detected

Analysis date:

2024-12-02 06:58:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/f1804bb0-e04b-4db4-937e-141fd1028fb1

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.30581.29291.UNOFFICIAL

Verdict:

Malicious

Score:

90.2%

Link:

https://cyber-fortress.com/docs/result/index.php?id=674d5b1c04c232bff3b5c64a

Tags:

stealer virus gates

Result

Verdict:

Malware

Maliciousness:

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

obfuscated packed packed packer_detected vbnet

Link:

https://www.filescan.io/uploads/674d5954ae6f4170773f2d09/reports/42d2f962-d2ca-4aa7-b118-38b641109509/overview

Verdict:

Malicious

Labled as:

PasswordStealer.Genie8DN.Generic

Link:

https://www.hybrid-analysis.com/sample/71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

Malware family:

KeyBase

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/47f7ceca-cfc4-4f72-8469-5e4896d00ac6

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1566432

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987/

Threat name:

Win32.Infostealer.Genie8DN

Status:

Malicious

First seen:

2024-12-02 06:53:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 38 (65.79%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=oh6esfhxen52bxnk7bdxrsnasy2co5ixia7vup2jfybxx7lojgdq._file

Verdict:

malicious

Label(s):

unknown_loader_037

3d648905c51d97e4998f5e24312dae37f77dbe94279847f6a124894790881082

3fa4ae4ae197fa29bb3b99af1b7b786fc125d4d6248e2198570332c67c120a53

659ef7c3fd01df95231975c36e8e45444f6329da33a70e58690f2ee75c7a722f

71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

error

ff02ce95ce92934b9bd5ab657c70a93909e35194c4efcd6105add3dc2fe74f5e

+ 4'028 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/241202-hnmfrstrcy/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

DoH

YARA:

n/a

Link:

https://app.threat.zone/submission/f8830d1e-14b5-4515-8791-d03e77d1b1da

Unpacked files

SH256 hash:

4adf9fe2fbb91d9fa11f43f1f48bf1f1648cf8fda985b878ef90b1d4391fb290

MD5 hash:

0feaeb598c1d759ec38331f8eca83cbd

SHA1 hash:

c298a1fb7d3218b2e7a9e6face1060c0e39e63f3

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

SH256 hash:

0f23bed630a8111bb7c4a31390b9b82765a45d1e25a7464bc48918e33ff25e26

MD5 hash:

86b1d42a4aef0a421c2f6ec0aa16f973

SHA1 hash:

6fb71340282d517bbb342c69e86873ca281d6155

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

Parent samples :

71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987
6c3cf6fd0b7c539c140ab8a5afea954ffd890275a6d13db8c1d3ba7851b237f3

SH256 hash:

7637c762a4342d14075600259ea5a08e74805de3f89ace6eb3a302bb8798646e

MD5 hash:

b6c1f77614929963c802507f0a52c21e

SHA1 hash:

0091b260e030312f48f15ad6e99cf8e382f55de4

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

SH256 hash:

3e14e954dab4e9f1cba0a0ddfe09468cb860e2a918de39b74c0442331594a0e4

MD5 hash:

06271669a8265c172aaa4c0552711f3b

SHA1 hash:

6f9961d67d39f6c34b1f4258e92da8984aa1d6ab

Detections:

SUSP_OBF_NET_ConfuserEx_Name_Pattern_Jan24

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

SH256 hash:

6f53b7822b89cd4a0c5faeae50cdd724eb05b221c371af8cd7d483a12713bb8d

MD5 hash:

53d566d033349975ecb9393c065a2afb

SHA1 hash:

290bd50154828b930f7702a28f871ab137a678b3

Detections:

SUSP_OBF_NET_Reactor_Indicators_Jan24

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

Parent samples :

71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987
6c3cf6fd0b7c539c140ab8a5afea954ffd890275a6d13db8c1d3ba7851b237f3

SH256 hash:

dcedf1a0901395ad6419c369dcbeaaeb0840a026664755d7327e98c18a46eb70

MD5 hash:

d071cef28377645fa098171143ec1246

SHA1 hash:

1ab4e75117d553309709aa7cd82639a43b110063

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

SH256 hash:

71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

MD5 hash:

49f4ab595618ff1018721913a167f322

SHA1 hash:

439204b6c95b04c16dbd7ff521a7356d9c056f75

Link:

https://www.unpac.me/results/541c192c-82c3-4d29-bdd8-7754715f7522/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.81

Link:

https://yomi.yoroi.company/submissions/71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 71fc4914f7237ba0ddaaf84778c9a09634277517403f5a3f492e037bfd6e4987

(this sample)

Delivery method

Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample