MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c
SHA3-384 hash: 638c0dd372b4d2c2996f7addf2e57ede7ade8f9b33ca1b38533ffdb885915669eb5a5175102e6bb8cca1c4283c5c8ca7
SHA1 hash: 45792e0799395f50f805bdf4fca1a661962c1731
MD5 hash: b427f0da0de80d69c4ecaafd3a8ba4b6
humanhash: mirror-rugby-quiet-undress
File name:b427f0da0de80d69c4ecaafd3a8ba4b6
Download: download sample
File size:466'432 bytes
First seen:2023-08-25 18:09:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:tGT+hKgdBsRtSeY4OeTaUXSkt7rZ/iirsO8mHwUar1ACB4F:oTJgdBsRoeY4OeT7Bt7F/i+F8mHcBS
Threatray 789 similar samples on MalwareBazaar
TLSH T19AA4B403BA4786E5D1481B36E59B130043ACDA91F7B7D70E794A13A6D923FAAEC0DD07
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 0010007070001000
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
357
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://80.66.75.40/Fpgwaghdi.exe
Verdict:
No threats detected
Analysis date:
2023-08-25 17:34:27 UTC
Tags:
loader
Link:
https://app.any.run/tasks/186edc62-8c94-46c9-bc15-8c6c05e88fda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444789/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.15689.4841.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Creating a file in the %AppData% directory
Launching a process
Creating a file
Creating a file in the Program Files subdirectories
Changing a file
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a service
Moving a file to the Program Files subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Deleting volume shadow copies
Unauthorized injection to a system process
Encrypting user's files
Sending an HTTP POST request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control lolbin packed replace
Link:
https://www.filescan.io/uploads/64e8ee7c5ec4a8623260be6c/reports/842e97d5-678e-42ac-8962-43d6a9f6b78c/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/75e05dca-2d7a-4f9d-a27a-a0e6ffd90beb
Result
Threat name:
Targeted Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297579
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates files in the recycle bin to hide itself
Deletes shadow drive data (may be related to ransomware)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
May disable shadow drive data (uses vssadmin)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses bcdedit to modify the Windows boot settings
Uses cmd line tools excessively to alter registry or file data
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RansomwareGeneric
Yara detected Targeted Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1297579 Sample: 4cGFnkiRf2.exe Startdate: 25/08/2023 Architecture: WINDOWS Score: 100 66 qu.ax 2->66 80 Snort IDS alert for network traffic 2->80 82 Antivirus detection for URL or domain 2->82 84 Antivirus / Scanner detection for submitted sample 2->84 86 7 other signatures 2->86 9 4cGFnkiRf2.exe 16 7 2->9         started        14 Wgohpvx.exe 2->14         started        signatures3 process4 dnsIp5 68 qu.ax 45.95.232.89, 443, 49716, 49730 RHC-HOSTINGGB Russian Federation 9->68 58 C:\Users\user\AppData\Roaming\Wgohpvx.exe, PE32 9->58 dropped 90 Deletes shadow drive data (may be related to ransomware) 9->90 92 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->92 94 Writes to foreign memory regions 9->94 16 MSBuild.exe 3 528 9->16         started        21 cmd.exe 1 9->21         started        96 Multi AV Scanner detection for dropped file 14->96 98 Injects a PE file into a foreign processes 14->98 file6 signatures7 process8 dnsIp9 60 91.215.85.142, 49720, 49721, 49722 PINDC-ASRU Russian Federation 16->60 62 192.168.2.1, 135, 274 unknown unknown 16->62 64 3 other IPs or domains 16->64 50 Microsoft .NET Fra...0810_120149163.html, data 16->50 dropped 52 C:\Users\user\AppData\...\settings.dat.LOG2, data 16->52 dropped 54 C:\Users\user\AppData\...\settings.dat.LOG1, data 16->54 dropped 56 164 other malicious files 16->56 dropped 70 May disable shadow drive data (uses vssadmin) 16->70 72 Creates files in the recycle bin to hide itself 16->72 74 May check the online IP address of the machine 16->74 78 5 other signatures 16->78 23 vssadmin.exe 16->23         started        26 cmd.exe 16->26         started        28 cmd.exe 16->28         started        30 cmd.exe 16->30         started        76 Uses cmd line tools excessively to alter registry or file data 21->76 32 conhost.exe 21->32         started        34 reg.exe 21->34         started        36 takeown.exe 21->36         started        38 23 other processes 21->38 file10 signatures11 process12 signatures13 88 Deletes shadow drive data (may be related to ransomware) 23->88 40 conhost.exe 23->40         started        42 conhost.exe 26->42         started        44 sc.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c/
Threat name:
Win32.Trojan.Agentagen
Create hunting rule
Status:
Malicious
First seen:
2023-08-25 11:23:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pnyv2bvcerhbkwxxaubyv7lwc6u2sftd6semu5eg6zuusesg5yga._file
Verdict:
malicious
Similar samples:
1ad099ae47a44058fd883aef2e9032b857d2f78b4f14c4ce606f2870b4ec062a
29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
2d397c3b96952610182b2f157200c188b1f816689dda18ab175b813108acce13
33fc6a56478fcc172306018e4de7b96684a5ee5d839afc3d0ae8573072ec92b9
9248252c652a2f2a1476b419f62d426b93b38b530b9ea0d16071c2724e4f48e4
db309c1ee2e0d1555a57a2d177be42d52809cbca61f71292f68523c167448080
f6c42a515a0e4f5a0be19b764ef25708eea3084ba1fc4de82e9ac440583d1165
fe561cf56cd580b3bb34099feec06059cd9b276a1c07f9316036058d22d661ac
+ 779 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence ransomware
Link:
https://tria.ge/reports/230825-wr1z8aeb53/
Behaviour
Interacts with shadow copies
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Launches sc.exe
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Modifies file permissions
Stops running service(s)
Deletes shadow copies
Renames multiple (3605) files with added filename extension
Unpacked files
SH256 hash:
7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c
MD5 hash:
b427f0da0de80d69c4ecaafd3a8ba4b6
SHA1 hash:
45792e0799395f50f805bdf4fca1a661962c1731
Link:
https://www.unpac.me/results/a3e80816-8d93-448c-b52f-4fa8d32f7607/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7b715d06a224/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7b715d06a2244e155af705038afd7617a9a91663f488ca7486f669491246ee0c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/444789/
  
URLhaus
https://urlhaus.abuse.ch/url/2706988/

Comments


Avatar
zbet commented on 2023-08-25 18:09:06 UTC

url : hxxp://80.66.75.40/Fpgwaghdi.exe