MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a
SHA3-384 hash: ef005cbd1893eb4a7a7d1dc3636cd64d5facee8c36edf591b30cfbf6a98bca0361a537b66c4a521917a08835e23cd7d0
SHA1 hash: 4067302b4524013d4fc13c7498d70936f28e70b3
MD5 hash: eb7668ab32c05d212e13861690cdf95b
humanhash: pluto-wolfram-aspen-bravo
File name:Bank swift.exe
Download: download sample
File size:61'952 bytes
First seen:2022-02-16 15:10:10 UTC
Last seen:2022-02-16 17:04:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 768:zcFbzxnQ5H2YycYeFePyJrkcvPhOS4/Vi3xnehErtX+GsMg:zQbzgHJycYeeQzPhOvVihneW9+V
Threatray 116 similar samples on MalwareBazaar
TLSH T164539E3A1BA8C5EAD715A175E047F351222B6EE6DB40051F33A43E8F3CBB5848DEE491
File icon (PE):PE icon
dhash icon 71f0c08888c0e070 (9 x SnakeKeylogger, 9 x AgentTesla, 8 x AsyncRAT)
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
202
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bank swift.exe
Verdict:
Malicious activity
Analysis date:
2022-02-17 01:11:52 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/6c6a7ce8-193a-4117-aa0d-d6281e27ec9b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241939/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GLW.genEldorado.12996.30473.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/620d140f875593a3ccd79539/reports/60f02075-bf37-4170-83c7-f40300a3f1b7/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/940913
Signature
.NET source code contains potential unpacker
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573391 Sample: Bank swift.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 76 49 Multi AV Scanner detection for domain / URL 2->49 51 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 7 Bank swift.exe 15 3 2->7         started        process3 dnsIp4 47 0mc-global.com 63.250.35.8, 49762, 80 NAMECHEAP-NETUS United States 7->47 10 cmd.exe 1 7->10         started        13 WerFault.exe 23 9 7->13         started        16 cmd.exe 1 7->16         started        18 8 other processes 7->18 process5 file6 57 Uses ping.exe to check the status of other devices and networks 10->57 20 PING.EXE 1 10->20         started        23 conhost.exe 10->23         started        37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->37 dropped 25 PING.EXE 1 16->25         started        27 conhost.exe 16->27         started        29 PING.EXE 1 18->29         started        31 PING.EXE 1 18->31         started        33 PING.EXE 1 18->33         started        35 13 other processes 18->35 signatures7 process8 dnsIp9 39 yahoo.com 74.6.143.25 YAHOO-3US United States 20->39 41 74.6.231.21 YAHOO-NE1US United States 25->41 43 98.137.11.163 YAHOO-GQ1US United States 29->43 45 192.168.2.1 unknown unknown 35->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 15:10:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkzushu7cgf5f7gjfwn23t5cxjjoupzxwem6n4wtgjzfseqiubva._file
Verdict:
unknown
Similar samples:
069e33991bd7de11fd8defd71166ec16592380f263c3c71cd657abfba072cb60
191ca4833351e2e82cb080a42c4848cfbc4b1f3e97250f2700eff4e97cf72019
199f2dc4388a96b80edc0881ac6e70b33833ddb801d15a53981e0ce7624fe371
56637e06a35402eda9bf01f868a88cd3e3a683ed0ee092b8bfcb8118c36d04a4
81ace5cefeb9363abea07fba3f61042d495037ceb815633279e7aa2b9556824e
8eb464ddff8d1b4844641e7e1eefdcb9cd5830a3e63d19fe0c061db6a21b4405
d7ccb616fe7cb8a33d18db6b40c9221db0d7eab713d189306fd7e7565c5d2da8
f2734679038b2a166385da83a40a1bb911754ea23221bba831cc9fdee3f171a9
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-sklp6sdbak/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Checks computer location settings
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a
MD5 hash:
eb7668ab32c05d212e13861690cdf95b
SHA1 hash:
4067302b4524013d4fc13c7498d70936f28e70b3
Link:
https://www.unpac.me/results/d972ca5c-a762-44a9-b352-f12577b9ae13/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/82b3491e9f118bd2fcc92d9badcfa2ba52ea3f37b119e6f2d33272591208a06a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/241939/

Comments