MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SHA3-384 hash: e53913682af21b7ce41183b49bb04e7799236ca46c9e90a4f80553f80274c1bbf61ffe7de75dd67d15be171a17e42024
SHA1 hash: 184a2433958468b58de460d7d1b60592b6ea4ac5
MD5 hash: 0385a7819daa6375061e698f889327af
humanhash: music-fruit-mike-blossom
File name:ExeFile (355).exe
Download: download sample
File size:799'744 bytes
First seen:2024-08-20 14:13:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:xuvR3QUb4Zk4OwdTGXAG6aORLo5hnyRIA:CzbONdiwOhnU
Threatray 563 similar samples on MalwareBazaar
TLSH T18B05BF42E9CE4FC1ECDD1736C520270B989375874493F7A52F4AE638A0BF36B8A456D8
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
dhash icon c9b4b6b6ececa69a (1 x RedLineStealer)
Reporter byMattii1234

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ExeFile (355).exe
Verdict:
No threats detected
Analysis date:
2024-08-20 17:22:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bacb0f6-6f86-46b0-a84b-df7d5a6bdb75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Razy.708905.8099.8823.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a4bae7ff3f5a063ba064
Tags:
Generic Static Generickd
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hook packed packed
Link:
https://www.filescan.io/uploads/66c4a4ada3292d51061e110a/reports/123260a4-c8bd-482e-b391-e0545ef9d11d/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/598ca9e7-2195-4e2f-a99a-7773ee61e956
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1495911
Signature
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2020-09-10 05:04:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pxp2n5ckmd2lrfbsd5uxp6asdt5tohb4mgwiolcyxjq72xxbhxvq._file
Verdict:
unknown
Similar samples:
04ea5c74e910a261b38f769a145ce0f7370badc8f88f53715c44bb73899bc736
195a5e1791ed6fd6b6a642c2d354504cbceb4c28adee53b3f5415e08fa147a08
477a06dbbff57c765255c72f2ff7d72129269d9c66483e75abe3dbdab2432104
574a54bc3a0667b656cd0a41974cf676a9939d1e2c5a3e3984e4dcd3ba49a744
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
9802a11bca599736bb7d56c2866a87a3363a2de0edc4848974c812d11f99c87f
+ 553 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet bootkit discovery persistence
Link:
https://tria.ge/reports/240820-rjq3tswdqb/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
System Location Discovery: System Language Discovery
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb041237-4da6-41ca-b422-be7e0b73ef96
Unpacked files
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Detections:
INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Link:
https://www.unpac.me/results/053d8954-7e7d-4160-a06c-e717e5ec2f02/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
SH256 hash:
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
MD5 hash:
0385a7819daa6375061e698f889327af
SHA1 hash:
184a2433958468b58de460d7d1b60592b6ea4ac5
Link:
https://www.unpac.me/results/053d8954-7e7d-4160-a06c-e717e5ec2f02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:INDICATOR_EXE_Packed_AgileDotNet
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Agile.NET / CliSecure
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/456443/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments