MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd
SHA3-384 hash: 538bd08cfe17b8f1d8ca02fda9ff3d3b1af63a49ba1c1d7f810fc6ea86b749de813684a2fb5e7b0c699c8a64338dde4f
SHA1 hash: b3b536166ffa3993a0ea16464fa41e3fa9db9cb9
MD5 hash: a16225aa2cb7f0c1c4f975bb7a9eede0
humanhash: eighteen-berlin-beer-two
File name:SecuriteInfo.com.Trojan.Packed2.42850.8622.24363
Download: download sample
File size:1'088'512 bytes
First seen:2021-03-17 09:31:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5dmgyyU6Syny3y7c1WqMbaONry5UbXYoNe8gKzUjc1bdQHEQp:2gysLGyCWqMbde5IXg2b
Threatray 82 similar samples on MalwareBazaar
TLSH 3E356BD369ACCD83D5397ABEC9E27CF6132D9D3FE19891C41452738A1A75380ADC21E2
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.Packed2.42850.8622.24363
Verdict:
Malicious activity
Analysis date:
2021-03-17 09:34:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9d09b004-8b08-4f76-b8a1-db21f6cfc104

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/124507/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42850.8622.24363.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the Program Files subdirectories
Launching a process
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/642028
Signature
.NET source code contains in memory code execution
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Creates files inside the volume driver (system volume information)
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 369985 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 17/03/2021 Architecture: WINDOWS Score: 100 65 Multi AV Scanner detection for dropped file 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 .NET source code contains potential unpacker 2->69 71 7 other signatures 2->71 8 SecuriteInfo.com.Trojan.Packed2.42850.8622.exe 3 2->8         started        12 WmiPrvSE.exe 3 2->12         started        14 lsass.exe 2 2->14         started        16 5 other processes 2->16 process3 file4 55 SecuriteInfo.com.T....42850.8622.exe.log, Unknown 8->55 dropped 79 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->79 81 Uses schtasks.exe or at.exe to add and modify task schedules 8->81 83 Drops PE files with benign system names 8->83 18 SecuriteInfo.com.Trojan.Packed2.42850.8622.exe 1 26 8->18         started        85 Multi AV Scanner detection for dropped file 12->85 87 Machine Learning detection for dropped file 12->87 89 Injects a PE file into a foreign processes 12->89 signatures5 process6 file7 47 C:\System Volume Information\...\WmiPrvSE.exe, PE32 18->47 dropped 49 C:\Recovery\WmiPrvSE.exe, PE32 18->49 dropped 51 C:\Recovery\SearchUI.exe, PE32 18->51 dropped 53 13 other malicious files 18->53 dropped 73 Creates files inside the volume driver (system volume information) 18->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->75 22 ctfmon.exe 18->22         started        25 schtasks.exe 1 18->25         started        27 schtasks.exe 1 18->27         started        29 6 other processes 18->29 signatures8 process9 signatures10 77 Injects a PE file into a foreign processes 22->77 31 ctfmon.exe 22->31         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 29->41         started        43 conhost.exe 29->43         started        45 3 other processes 29->45 process11 dnsIp12 57 cd03477.tmweb.ru 5.23.51.195, 49721, 49726, 80 TIMEWEB-ASRU Russian Federation 31->57 59 ipinfo.io 216.239.34.21, 443, 49722 GOOGLEUS United States 31->59 61 192.168.2.1 unknown unknown 31->61 63 Tries to harvest and steal browser information (history, passwords, etc) 31->63 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 13:12:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
44c671f6aaca45b2db6397a3037a471aa2889538ebc73138bfeb34e50e1df1f6
4a4c53136db2fb3322b68159761172d730c30d2f0a486dceeeb0056b4ab8e071
61a70fdae6040d08c4f66f5d5ba95aba1987cda5e4715903696c3139a33d8e05
6dfa00754b15999efaf8c4c636ceac96839096eca669391d2577872a2b1bc369
7125ff46ae7468216b1764b9e22b5811d4890f33a237776c6cbf22c8d8f09bbc
75ea1220430a1db49377668f5fc4f38d4bde275076a4619ba41d1d54a62bc9b8
84ae6fe4cd4f1357409af9eeea51b0ceb8385242c1e67b1f22a51a9475f3ce01
a51c62d5cbbdd3442ea44f0282533b9671f5fea07590caa69e13d67aa66db735
c221fa12d79efaabd55c061a968de9380080d563dc4f13669ed08293b11002c3
cdc2570534ee8b47c95015706643d81047e9f0fd4e1505ff6c251859dba34b1b
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210317-ana38k6mrx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/205f50b0-db4f-4e5b-a498-37318b23ba1e/
SH256 hash:
ce8c2ef71658dec4e1e04731c77b87b3dcf73a65e6753dd12f4d4ff44a5fa9e6
MD5 hash:
459a24fc344b984515d725e3fcd7d133
SHA1 hash:
6f0d4e04e318562d767da8329a3dddfe0ac2e838
Link:
https://www.unpac.me/results/205f50b0-db4f-4e5b-a498-37318b23ba1e/
SH256 hash:
38bc05f4bf0d12a0f898266a541f6af476a56b950550a3339bdba23dea46818b
MD5 hash:
f02cc68403bc0c418942182eaf395b49
SHA1 hash:
86c4d7fc0f85d6968ee0981f53e04f8515ab4207
Link:
https://www.unpac.me/results/205f50b0-db4f-4e5b-a498-37318b23ba1e/
SH256 hash:
88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd
MD5 hash:
a16225aa2cb7f0c1c4f975bb7a9eede0
SHA1 hash:
b3b536166ffa3993a0ea16464fa41e3fa9db9cb9
Link:
https://www.unpac.me/results/205f50b0-db4f-4e5b-a498-37318b23ba1e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 88056d251eaa713c922d375e82c3ac2f1daccff6dc13f1a5b02e091bf698bbbd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1072567/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/124507/

Comments