MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971
SHA3-384 hash: e61d7062bdea763fd79f8239c6f5e6ae1f459b1f8fe215396d906ed139458c286ce9c189706c6e541c06ec4c11b93ceb
SHA1 hash: 906e80efdc5f5dbb7c6bb74ffc387d507d81991a
MD5 hash: 1aaac4ca212b568d9aa332979c25e2fa
humanhash: two-xray-winner-earth
File name:1aaac4ca212b568d9aa332979c25e2fa
Download: download sample
File size:1'985'024 bytes
First seen:2021-08-08 02:11:09 UTC
Last seen:2021-08-08 03:22:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:el+boV2dSlYMXrtcEksYHAS9/Zu7n+/UH1EU2hzP:el6oV2dSu8xcLqj76k2N
Threatray 16 similar samples on MalwareBazaar
TLSH T1119533AF50251913CF2E87B7673CA5A0104E3D77AACCBE1C8A127DD9071ADAAD5CC178
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://cdn.discordapp.com/attachments/871711645188128768/871774061338972211/mecenaty.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 23:56:46 UTC
Tags:
trojan rat redline stealer loader
Link:
https://app.any.run/tasks/6515a972-1e89-490b-948a-d27149081502

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/177201/
Detection(s):
SecuriteInfo.com.Trojan.MulDropNET.46.24540.2708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a file
Creating a process from a recently created file
Creating a file in the system32 directory
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3eb3df8a-f6a9-4f26-aaee-9bb6b10f16e9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/828712
Signature
Adds a directory exclusion to Windows Defender
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Script Execution From Temp Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461143 Sample: 1RVPZgy3oX Startdate: 08/08/2021 Architecture: WINDOWS Score: 84 81 Multi AV Scanner detection for submitted file 2->81 83 Machine Learning detection for sample 2->83 85 Sigma detected: Powershell Defender Exclusion 2->85 87 Sigma detected: Suspicious Script Execution From Temp Folder 2->87 10 1RVPZgy3oX.exe 5 2->10         started        14 services32.exe 2 2->14         started        process3 file4 77 C:\Users\user\AppData\Local\...\svchost32.exe, PE32+ 10->77 dropped 79 C:\Users\user\AppData\...\1RVPZgy3oX.exe.log, ASCII 10->79 dropped 101 Adds a directory exclusion to Windows Defender 10->101 16 cmd.exe 1 10->16         started        18 cmd.exe 1 10->18         started        103 Multi AV Scanner detection for dropped file 14->103 105 Machine Learning detection for dropped file 14->105 21 cmd.exe 1 14->21         started        signatures5 process6 signatures7 23 svchost32.exe 6 16->23         started        27 conhost.exe 16->27         started        89 Uses schtasks.exe or at.exe to add and modify task schedules 18->89 91 Adds a directory exclusion to Windows Defender 18->91 29 powershell.exe 18->29         started        31 powershell.exe 23 18->31         started        33 conhost.exe 18->33         started        39 2 other processes 18->39 35 conhost.exe 21->35         started        37 powershell.exe 21->37         started        41 3 other processes 21->41 process8 file9 73 C:\Windows\System32\services32.exe, PE32+ 23->73 dropped 75 C:\Windows\...\services32.exe:Zone.Identifier, ASCII 23->75 dropped 95 Multi AV Scanner detection for dropped file 23->95 97 Machine Learning detection for dropped file 23->97 99 Drops executables to the windows directory (C:\Windows) and starts them 23->99 43 services32.exe 3 23->43         started        46 cmd.exe 1 23->46         started        48 cmd.exe 1 23->48         started        50 MpCmdRun.exe 29->50         started        signatures10 process11 signatures12 107 Adds a directory exclusion to Windows Defender 43->107 52 cmd.exe 1 43->52         started        55 conhost.exe 46->55         started        57 choice.exe 1 46->57         started        59 conhost.exe 48->59         started        61 schtasks.exe 1 48->61         started        63 conhost.exe 50->63         started        process13 signatures14 93 Adds a directory exclusion to Windows Defender 52->93 65 powershell.exe 18 52->65         started        67 conhost.exe 52->67         started        69 powershell.exe 52->69         started        71 2 other processes 52->71 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971/
Threat name:
ByteCode-MSIL.Trojan.Miner
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 07:41:28 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
24ea17a2c73edd5668c90344844c696e8bfddb72bf605feeea1a0dcc054f246f
2d6424f4611e623f05560bcccc43c87819cb60488e0ada6f0eae17528f33a3b9
2dfdc495160b8492466dfe6108702ea44b5a7ff1b8d439d6a6dc9af9359a0838
50fcaa0ac7219a10cadfce715ba25a2f30fe3939fa3d4e1c899d321e397daa0d
561b3cf57b33e115cabbb36756579d7fb15ae90656b826cbd286673b2eaef227
587328521840c2d6fc72391af9027ddba0489878c7bb287058cbad683f6e0191
d96b12587bf342e3a99493402b3ede54ef5b3f31ff4b09a6710f1443a66f2683
e481e934466d3e768442331a3c3af50c4d430b6ed14059afbe661925338ef531
eef5d903a7e1eb2b6ecd93316efad2bf00def8fd4466dae0157615726a46ba4b
ef25bb229ec8ca7d7b2e3d4e23036b74bdc8b9154bb4c5b532e7ea2a0a7c8ee6
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210808-kvptbr65pn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971
MD5 hash:
1aaac4ca212b568d9aa332979c25e2fa
SHA1 hash:
906e80efdc5f5dbb7c6bb74ffc387d507d81991a
Link:
https://www.unpac.me/results/6aa1d141-665c-4908-9315-8b620433a016/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 73a353b47b07ab046af0164afa457af80c36b6899ae3c54f80052f1026538971

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1515214/
Cape
Cape
https://www.capesandbox.com/analysis/177201/

Comments


Avatar
zbet commented on 2021-08-08 02:11:10 UTC

url : hxxp://1234.cs21591.tmweb.ru/123.exe