MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa
SHA3-384 hash: 43f37109462c5b368f99768feb84f6c85a33eb9382d02dea34953e71790b89fd9df934ddfd73c6dce4422f50e87df1c0
SHA1 hash: cb1065ed12890f9dfa599e94c559626129f9efcb
MD5 hash: 79c8aec89b55f0fd893c5358cfe66634
humanhash: hydrogen-undress-item-indigo
File name:79c8aec89b55f0fd893c5358cfe66634
Download: download sample
File size:328'192 bytes
First seen:2022-07-21 06:30:51 UTC
Last seen:2022-07-21 07:47:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:L2CgfxElP8isat6Z475cw0npnlSLmarpUguiVuVTEryN+9t7NS:L2YR2DEknwaaFUZiVuK7
Threatray 1'949 similar samples on MalwareBazaar
TLSH T1546401C54A18E1D3F3B8D5B4D4B0DBFB82B82B756CA14604A1F9A5EDCB3E7262D05112
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0f8b4d2fab44bac
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/293083/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.22091.7436.9680.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching a process
Creating a file
Creating a window
Sending a custom TCP request
Forced shutdown of a system process
Enabling autorun
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62d8f2eeef2b0e63a82c74d4/reports/7a20f0f6-5e0f-492f-9547-f845254bcc86/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27e23e18-2fea-425e-ab8d-ffa76ea8031f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1038382
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2022-07-21 06:31:17 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pc6qnhllfipgc6kbw4nwsu7avddzf5e5hl57gzrwcdla4kaajd5a._file
Verdict:
malicious
Similar samples:
206d7752554b21b549a155ec769043ffa29b6a9f5741b8c42ef9cf02f5238ec9
2447933c7bf0db3f5bdcf7c901f4dd45f08267cbb5c5e4efe5f5a118195f0f86
367ec5a3049564a64740a249ee25f1cac476b918a3e70132cb5fc95e79c2c770
389f5ad5330ae27ed43bc0b3f33cd1655a49365f0310e25fd35f6771824d009e
61126f74e12b1f13c1f000a90bbcb919979d5d53ac8b20114077986a2fb01495
699d61469fd170d6cca80f781a3ab9b0041d75095ff8c59aa6afccf52b3e0278
883fbd9454d2908498fa566ecd5022d66f57afe80eeda4b90083ea35fa1c83fb
97261fee3b80f8396ae8c4c2522d7613b69b41644e5c8e03948aedf6778c3e42
af21146a2dde58a679dc4186bdc6d4827caeb7150851da43aec36f4a662b4d01
ce442fab80f616645429e47bededf88f2104476899a35952f70e1e31a21e734a
+ 1'939 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220721-g92xxadch2/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
1dbd3b92671c9ff861dce7b35f75eb2710b6d2ea6cf962f9d62e1b206ca6cc79
MD5 hash:
feb19a0945399c5acd74c27eadad3b63
SHA1 hash:
dbe4ed3409de815a1334f784536d20ccbb59545e
Link:
https://www.unpac.me/results/4f273099-1c92-491b-9d11-4aecd30a7407/
SH256 hash:
5a9fd485c2b755dfe3e27194ce20e1b38726d009f27785e11e25f640150a7c98
MD5 hash:
55e553b4da908f203501a3af7015a2bc
SHA1 hash:
1b68aae16d998469fb77bd6ad5a3e5961bdedc77
Link:
https://www.unpac.me/results/4f273099-1c92-491b-9d11-4aecd30a7407/
SH256 hash:
47bf3577253f8fcc9f2035188702e39a05587301ce2ef98db1bfde02b499f786
MD5 hash:
424ee1b794b252b8a01ff411a62a4154
SHA1 hash:
091de16c00beede66ab6ea1e2b6b86e762c2428a
Link:
https://www.unpac.me/results/4f273099-1c92-491b-9d11-4aecd30a7407/
SH256 hash:
78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa
MD5 hash:
79c8aec89b55f0fd893c5358cfe66634
SHA1 hash:
cb1065ed12890f9dfa599e94c559626129f9efcb
Link:
https://www.unpac.me/results/4f273099-1c92-491b-9d11-4aecd30a7407/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/78bd069d6b2a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 78bd069d6b2a1e617941b71b6953e0a8c792f49d3afbf3663610d60e280048fa

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2259576/
  
URLhaus
https://urlhaus.abuse.ch/url/2259577/
Cape
Cape
https://www.capesandbox.com/analysis/293083/
  
URLhaus
https://urlhaus.abuse.ch/url/2259585/

Comments


Avatar
zbet commented on 2022-07-21 06:30:55 UTC

url : hxxp://141.98.6.236/Z2KNEW/Ivnut-Z2K-3.exe