MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 15

Intelligence 15 IOCs YARA 5 File information Comments

SHA256 hash:	76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1
SHA3-384 hash:	a609af3a66b10dfcb67b6ad91222eb53e730cf1fb06f6dfba25b40552013df3f11be5938103e9e6b0021fff8e09266be
SHA1 hash:	8969ad90a18bb71d8554bb09ca71691d0baebfeb
MD5 hash:	4c765261499478dd2106d78f31ef76e1
humanhash:	spaghetti-pizza-avocado-fish
File name:	PO 81049864.exe
Download:	download sample
File size:	666'624 bytes
First seen:	2024-05-28 06:09:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:ZuVrYCFd6xmxE1GSVkRj2mev0qITon6Wizf8SNZ2vM/j7jqBwR++cnjg:k81xmxOGSSRy2cnBSN4vM3jqBa
TLSH	T11FE4239C38B5DB61C8FF03F946A00DA01773AE0269A6DA590E4635DB4B36F048757E8B
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	205cb064d8d4d408 (10 x Formbook, 4 x AgentTesla, 2 x Loki)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1.exe

Verdict:

Malicious activity

Analysis date:

2024-05-28 06:21:38 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e74bc4d9-c586-45d4-afb6-061b77a550b6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.32580.15766.UNOFFICIAL

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=665575565721c8e527178014win7simulatehigh_evasion

Tags:

Kryptik

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/6655753c9c0b71aaf529cf75/reports/4a01105c-37b6-4613-af85-21d8cf114fd1/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a422afce-6560-4984-88fb-4770b34d455a

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1448286

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1/

Threat name:

ByteCode-MSIL.Trojan.Barys

Status:

Malicious

First seen:

2024-05-27 02:17:09 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=o3yzjfsftjc46iclwqhaeqqaeh7yr6rnnp5tya6qesn2rha4ydaq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240528-gw2pzsaa98/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/48a3807d-632e-46a4-b084-ce195cd9740d

Unpacked files

SH256 hash:

54892a2ad8bf464501e0f825a114b6519212c52586f18025fa7f7b5abb7df3a9

MD5 hash:

516b95a2508a195dcfd17a41016ccead

SHA1 hash:

e50a8ebffd689a4fd76a5aab73819b454ccd56f4

Link:

https://www.unpac.me/results/a526caa5-ee0d-42db-9938-e9b00f379cac/

SH256 hash:

2b63665d65d5f1f9664e8e3ccfd7171ec1db7989e8c3646c5fc81d1fb6f43cc2

MD5 hash:

bef5039bd3b3e8e3c0bbfc0166e544da

SHA1 hash:

b556c5a05bba82fdb37ed40a05a5bd936461b133

Link:

https://www.unpac.me/results/a526caa5-ee0d-42db-9938-e9b00f379cac/

SH256 hash:

2e0007967efbdfa9c90a292bd339242792242a0a056ddb7ae0bb2e61be4d7f18

MD5 hash:

7bf39b95a4b3e280f35d39b1bcb9fb17

SHA1 hash:

48ce1e6b3088acd6db9c3cdc499b1b7a2ebcf384

Link:

https://www.unpac.me/results/a526caa5-ee0d-42db-9938-e9b00f379cac/

SH256 hash:

76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1

MD5 hash:

4c765261499478dd2106d78f31ef76e1

SHA1 hash:

8969ad90a18bb71d8554bb09ca71691d0baebfeb

Link:

https://www.unpac.me/results/a526caa5-ee0d-42db-9938-e9b00f379cac/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/76f19496459a45cf204bb40e02420021ff88fa2d6bfb3c03d0249ba89c1cc0c1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_DIFF_Common_Strings_01 Create hunting rule
Author:	schmidtsz
Description:	Identify partial Agent Tesla strings

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample