MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560
SHA3-384 hash: 588544e3c49475859048738122ec95d52384adfefccc72ffdc293e5afeca43aa5419b4d107ba2f28fd5e995ffc43ae57
SHA1 hash: 7c0441eef2eb0c11a21b483d481f2a98c68135ec
MD5 hash: d78df7f59a7874cb9690311419e16709
humanhash: kentucky-dakota-yankee-kentucky
File name:d78df7f59a7874cb9690311419e16709
Download: download sample
File size:30'208 bytes
First seen:2022-06-29 10:14:31 UTC
Last seen:2022-06-29 10:43:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:cOmJCNf7ojFYwQ7XvLWRgcL0ST8iNxy2r:cOasm7oWRgcL9HNxvr
Threatray 84 similar samples on MalwareBazaar
TLSH T1AFD2C05BF794CE3AEDB21B311E7303014BB8B8528D53876E75C0A94BBE2329109977B5
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon b28ccaacda53d39b (34 x Formbook, 1 x BitRAT, 1 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/284213/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62bc2666114aa383d0ec4e8a/reports/05268b9f-a5ee-4cc1-9239-ea8e1234e6ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/edcaec2f-2cf0-479f-9f20-507c8de5e5e4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1021804
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-06-28 12:24:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4blktbvrhehqnqmewhg6vw3lsfeud6v6phadwwx2cna4auucvqa._file
Verdict:
malicious
Similar samples:
0b53b4b9d14763cb1a084f67aa28e17517cfac8d7375fafb501fbf09b20c6f34
3ebffe25deb8f02e10b07eab7085d67df052230f976c3a5b49ceb0df69e24b47
61785f3d1e0ea932704bccfbd0ffe5d2e64d47290f25ac181caf9114f6f80068
64b0b4f8536fc55d8ca14c01f1054d0b85e6bc704dcc43c056776a05f1fde101
6ee2e74be944e02f47b9786593b033de235731d04cb9d599f637bd526344d08a
796e9c213997e70666fed30ee167c31dedce7f1b98f83db4dd6c0caeb870fdc2
9bd4aeef3b523a2046c1f76ae4c6d3af54c7efe233aed7f5639323c48deed942
af3fe54766d73b5d832f60138055a992e440de735ca9e5cb33caa6f4de671b26
c7ea9ece74befd49e92c818ab2a7dca12aab174d6a0a9091748e6c26c0ee9323
df19e371d20cd1ed54e566f2de763872d0e3b5027bd666be55e66f81017ad724
+ 74 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220629-l9765sgfgl/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560
MD5 hash:
d78df7f59a7874cb9690311419e16709
SHA1 hash:
7c0441eef2eb0c11a21b483d481f2a98c68135ec
Link:
https://www.unpac.me/results/dbf7dbb3-0f65-42c5-955f-8fbf8a327c3c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8702b54c3589c878360c258e6f56db5c8a4a0fd5f3ce01dad7d09a0e02941560

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/284213/
  
URLhaus
https://urlhaus.abuse.ch/url/2252388/

Comments


Avatar
zbet commented on 2022-06-29 10:14:36 UTC

url : hxxp://104.168.33.66/ogg/boi.exe