MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff
SHA3-384 hash:	c1f625c40405175e8bab60397f9735eadc997d153960fbad74bf17d5ccacc07df31b5ccf4241238f2ea51e3ff9c54086
SHA1 hash:	f0befa257d09241db8ad5e4f79dca2ee12d3362d
MD5 hash:	0759713fa0cad0716fce0846521290fd
humanhash:	lion-paris-william-violet
File name:	SecuriteInfo.com.Trojan.Siggen18.15863.20143.2572
Download:	download sample
File size:	100'352 bytes
First seen:	2022-06-30 08:39:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:UgbDw2HmDbOa2R0r4xRkAwEALweSaI4g2ui:ZbDGDN2RHcEAseRg
Threatray	77 similar samples on MalwareBazaar
TLSH	T126A302FF6B98C239E5960B31896363126E3EE6041E9796AA0891E12F0D27344C772FD5
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	69e8ca2d33e8e869 (2 x ValleyRAT, 1 x Gh0stRAT, 1 x LummaStealer)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/284546/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Sending a custom TCP request

Sending an HTTP GET request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62bd61a3b0578633c8b39209/reports/02ca5743-9739-435e-bfc0-f384f1fc0e67/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6f155872-6cbf-4c88-8e95-b7f7f21fc310

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/1022468

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2022-06-29 23:42:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qeatb5uzoefn4zuqkpgvzhgfyecspp6dup6grhbmbtlgsr5yod7q._file

Verdict:

unknown

1bbdd6534336280436213b88cf3075db3754a027cbf39351dd81f923ed0ed137

3ebffe25deb8f02e10b07eab7085d67df052230f976c3a5b49ceb0df69e24b47

61785f3d1e0ea932704bccfbd0ffe5d2e64d47290f25ac181caf9114f6f80068

6ee2e74be944e02f47b9786593b033de235731d04cb9d599f637bd526344d08a

796e9c213997e70666fed30ee167c31dedce7f1b98f83db4dd6c0caeb870fdc2

8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560

9bd4aeef3b523a2046c1f76ae4c6d3af54c7efe233aed7f5639323c48deed942

c7ea9ece74befd49e92c818ab2a7dca12aab174d6a0a9091748e6c26c0ee9323

df19e371d20cd1ed54e566f2de763872d0e3b5027bd666be55e66f81017ad724

+ 67 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220630-kkvzvabed6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Unpacked files

SH256 hash:

810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff

MD5 hash:

0759713fa0cad0716fce0846521290fd

SHA1 hash:

f0befa257d09241db8ad5e4f79dca2ee12d3362d

Link:

https://www.unpac.me/results/b8056d84-721a-4566-ae31-fde3e5ad8ae1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/810130f699710ade669053cd5c9cc5c10527bfc3a3fc689c2c0cd66947b870ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/284546/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample