MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
SHA3-384 hash: 5556d93f834fc86a7f9329c01ace0816ddeea0a59c65b51740e7b88dca7a08aa25833f772696d5d0092b5876ea158938
SHA1 hash: 0386b781ab84c9309d24eb15ef68628363a21fb0
MD5 hash: 848514d3293e05eef636c27ee777fe29
humanhash: asparagus-delta-skylark-solar
File name:doc20219119979791.exe
Download: download sample
File size:29'624 bytes
First seen:2021-11-09 16:25:09 UTC
Last seen:2021-11-09 16:42:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 384:547ApUomD2xrH6237t3wtCKlGyihj0PX4KI8ScjpAg1Me5TpoAaG/e1yi7SaXiDd:4Ap3aCKlGyiJK/rMe5SzGL8rM2rsEAh7
Threatray 628 similar samples on MalwareBazaar
TLSH T1B5D26C28978A4633DD2F4B36A1D05500F379A783B403CB1E69DE70CDDC933965A9427E
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/204536/
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed packed
Link:
https://www.filescan.io/uploads/618aa11c175442ca93a951a9/reports/8b3fdf1e-7ad0-453c-816e-11764f48f112/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4c857a76-a51c-40f6-b72a-63525bda70f7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/886142
Signature
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Certutil Command
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 518615 Sample: doc20219119979791.exe Startdate: 09/11/2021 Architecture: WINDOWS Score: 100 90 Multi AV Scanner detection for dropped file 2->90 92 Yara detected UAC Bypass using CMSTP 2->92 94 Yara detected AntiVM3 2->94 96 4 other signatures 2->96 8 doc20219119979791.exe 23 9 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 process3 dnsIp4 84 cdn.discordapp.com 162.159.130.233, 443, 49783, 49784 CLOUDFLARENETUS United States 8->84 66 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->66 dropped 68 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->68 dropped 70 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->70 dropped 98 Creates autostart registry keys with suspicious names 8->98 100 Creates an autostart registry key pointing to binary in C:\Windows 8->100 102 Adds a directory exclusion to Windows Defender 8->102 110 2 other signatures 8->110 19 doc20219119979791.exe 8->19         started        22 AdvancedRun.exe 8->22         started        25 powershell.exe 24 8->25         started        33 4 other processes 8->33 86 162.159.135.233, 443, 49785, 49786 CLOUDFLARENETUS United States 13->86 72 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 13->72 dropped 104 System process connects to network (likely due to code injection or exploit) 13->104 106 Hides threads from debuggers 13->106 108 Contains functionality to hide a thread from the debugger 13->108 27 powershell.exe 13->27         started        29 powershell.exe 13->29         started        35 3 other processes 13->35 74 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 15->74 dropped 37 5 other processes 15->37 31 WerFault.exe 17->31         started        file5 signatures6 process7 dnsIp8 64 C:\Users\user\AppData\Local\Temp\...\376B.bat, ASCII 19->64 dropped 39 cmd.exe 19->39         started        82 192.168.2.1 unknown unknown 22->82 41 AdvancedRun.exe 22->41         started        43 conhost.exe 25->43         started        45 conhost.exe 27->45         started        47 conhost.exe 29->47         started        49 conhost.exe 33->49         started        51 2 other processes 33->51 53 3 other processes 35->53 55 4 other processes 37->55 file9 process10 process11 57 certutil.exe 39->57         started        62 conhost.exe 39->62         started        dnsIp12 88 oshi.at 51.68.141.111, 443, 49787, 49792 OVHFR France 57->88 76 C:\Users\user\AppData\...\rpchost[1].exe, PE32 57->76 dropped 78 C:\Users\...\CCA8DE822E8B51456A3A1F2F667B81E8, PE32 57->78 dropped 80 C:\Users\Public\tmpdata\rpchost.exe, PE32 57->80 dropped 112 System process connects to network (likely due to code injection or exploit) 57->112 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-11-09 16:26:04 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qj5nw4kjgantxj4svfnkx6xaivzvjy4pq73n2lngfgq47zodbaaq._file
Verdict:
malicious
Similar samples:
2774da0c82b3700d74725edf23bef248083b6df616c7b494c05d4b5aec3ef2f2
2ac91449fd255e02594e29de0f1c66c70fb0ba1af3dd87846ffe3e21503ffb4d
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
63cc7593ecc74d78b39a46559da7124216bb5bc0e9eed2d7996717c462871ea6
8f348bddd7f0130d5cb44993275cc8fa322b48e0a54ec61dc8449dd20d02fd75
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
d89c68b81a492812f334c6485f8867419efb302da480f13d56ce1e9801c20096
f888b5b6c0a03183f2266c295f90218d5cb73b49ace6bb5dd18862eaa82dd16b
+ 618 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection evasion persistence pyinstaller spyware stealer trojan
Link:
https://tria.ge/reports/211109-txhpqacfbp/
Behaviour
Delays execution with timeout.exe
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Detects Pyinstaller
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Windows security modification
Downloads MZ/PE file
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801
MD5 hash:
848514d3293e05eef636c27ee777fe29
SHA1 hash:
0386b781ab84c9309d24eb15ef68628363a21fb0
Link:
https://www.unpac.me/results/aca098ac-4219-4eda-bd04-87c46a79f7f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/827adb714930/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 827adb7149301b3ba792a95aabfae0457354e38f87f6dd2da629a1cfe5c30801

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/204536/

Comments