MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


4444


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543
SHA3-384 hash: 878e274ff8f0d1c8f286d22029c7641fac88856abc51f2870aab7fc587e982fc77d8f07a62a05f87881cf11ecfe2c58c
SHA1 hash: fb8cd563abb8bfc14b7b9b0de774587efa18bb54
MD5 hash: febfddddca43d0232bbccce8d9938798
humanhash: ten-eight-mississippi-twenty
File name:febfddddca43d0232bbccce8d9938798.exe
Download: download sample
Signature 4444
Create hunting rule
File size:839'680 bytes
First seen:2021-02-16 20:03:44 UTC
Last seen:2021-02-16 21:54:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:hEv9ZpKY/6Z7iYtU+wkH86jwOw/OLBUoOVDvdSiDlKrvZmj:Wv5KY/6Z7iYtU+wkxoO+oO5vsmj
Threatray 17 similar samples on MalwareBazaar
TLSH 7F05BE3267086B5DF039F33C00251618ABF5F84EE321DF5E7EEE85DA0829E199765923
Reporter abuse_ch
Tags:4444 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117436/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.543.4598.14947.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Result
Threat name:
4444_Ransomware
Create hunting rule
Detection:
malicious
Classification:
rans.spre.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609461
Signature
Antivirus detection for dropped file
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files to the user root directory
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected 4444_Ransomware
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353759 Sample: V1Lxlak01a.exe Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 46 Antivirus detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Yara detected AntiVM_3 2->50 52 5 other signatures 2->52 8 V1Lxlak01a.exe 3 2->8         started        12 V1Lxlak01a.exe 2 2->12         started        process3 file4 28 C:\Users\user\AppData\...\V1Lxlak01a.exe.log, ASCII 8->28 dropped 54 Drops PE files to the document folder of the user 8->54 56 Drops PE files to the user root directory 8->56 58 Drops PE files to the startup folder 8->58 14 V1Lxlak01a.exe 501 8->14         started        18 V1Lxlak01a.exe 501 12->18         started        20 V1Lxlak01a.exe 12->20         started        22 V1Lxlak01a.exe 12->22         started        signatures5 process6 file7 30 C:\Users\user\HOW TO BACK YOUR FILES.exe, PE32 14->30 dropped 32 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 14->32 dropped 34 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 14->34 dropped 42 1021 other files (14 malicious) 14->42 dropped 60 Creates files inside the volume driver (system volume information) 14->60 62 Spreads via windows shares (copies files to share folders) 14->62 24 cmd.exe 1 14->24         started        36 C:\...\HOW TO BACK YOUR FILES.exe, PE32 18->36 dropped 38 C:\...\HOW TO BACK YOUR FILES.exe, PE32 18->38 dropped 40 C:\...\HOW TO BACK YOUR FILES.exe, PE32 18->40 dropped 44 211 other files (none is malicious) 18->44 dropped signatures8 process9 process10 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 12:50:17 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qbty645wkjzvnqflztthgdqdatqws7upqhcwnvsz7xmzplgtgvbq._file
Verdict:
malicious
Similar samples:
052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672
4444
20f7fce0e0f522a1fe1c6b51967fc1236e428d8ce45dc2a10738d03db57beb44
4444
228cb0b4f58f72e44a6325c45da54adf0892deedcece6b010659f354f863c260
4444
30303b663e0b7b9824cc59298b36f824b607b4fb85de53af6aac3a023d895513
4444
750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc
4444
8577f2b2527925efb4a0a024cecaf3b41ef3b7d9fd5da314c31b8e4fe665df03
4444
9a55095bce5f28440aeed18e9997322e0b1786208f6029d42a189804dc19738b
4444
a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a
4444
acd3819ea42caf7fabc03c7e56b03e673f6a3b16ac3a131b57f7e4549de7b16d
4444
e43f0cf8905305adbb28597ad256c8e0547fe3ce3c648095635c1ae94ab0dbb9
4444
+ 7 additional samples on MalwareBazaar
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/def8c274-f5ef-488b-a683-04b51d26ef87/
SH256 hash:
80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543
MD5 hash:
febfddddca43d0232bbccce8d9938798
SHA1 hash:
fb8cd563abb8bfc14b7b9b0de774587efa18bb54
Link:
https://www.unpac.me/results/def8c274-f5ef-488b-a683-04b51d26ef87/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

4444

Executable exe 80678f73b6527356c0abcce6730e0304e1697e8f81c566d659fdd997acd33543

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1002464/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117436/

Comments