MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e
SHA3-384 hash: bf3a36a022a6abe8fb971ba41ad0138728c6fe4499b13127d3a957bf2df1b4dfe640c8440f991ee9d07556709c498d8a
SHA1 hash: 96e673c652a54915376a477057aaa3648dc6d9c6
MD5 hash: 6a6ea7a0cb1dd2a82f0cf43ca95331d0
humanhash: angel-carbon-grey-lamp
File name:01_extracted.exe
Download: download sample
File size:829'635 bytes
First seen:2020-12-04 13:24:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 12288:u6Wq4aaE6KwyF5L0Y2D1PqLXDgdDeiEYfFVokmBEdOnDM2ebE0qPieRYEAzLAvbk:0thEVaPqLXDgpeAtykmBE+0qP/uU4
Threatray 208 similar samples on MalwareBazaar
TLSH B70533EA60963B7EC8BD8FF789C766C181C44353DBECF9FEA11101037D9A064A946789
Reporter Racco42
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
01_extracted.exe
Verdict:
Malicious activity
Analysis date:
2020-12-04 13:38:48 UTC
Tags:
trojan loda loader
Link:
https://app.any.run/tasks/cf6763af-2ab4-45e9-91c3-cf265ab2b3e9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106756/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Packed.LokiBot-6963314-0
Create hunting rule

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/555628
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326914 Sample: 01_extracted.exe Startdate: 04/12/2020 Architecture: WINDOWS Score: 60 28 Antivirus / Scanner detection for submitted sample 2->28 30 Uses schtasks.exe or at.exe to add and modify task schedules 2->30 7 01_extracted.exe 1 2 2->7         started        11 VQVEIG.exe 2->11         started        14 VQVEIG.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 26 tmlo.awsmppl.com 178.162.204.238, 49724, 50253 LEASEWEB-DE-FRA-10DE Germany 7->26 24 C:\Users\user\AppData\Roaming\...\VQVEIG.exe, PE32 7->24 dropped 18 cmd.exe 1 7->18         started        32 Antivirus detection for dropped file 11->32 file5 signatures6 process7 process8 20 conhost.exe 18->20         started        22 schtasks.exe 1 18->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 13:25:06 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
6f7d9ca4731544fea8d56ad9b367f0b3018198376ab73c492f5345a83ee07106
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
83b924a12b9d879758a2cd4c73a095de0ba4016163f76c94404820e741534030
c6b1bd6ce756a09bc3ce5b1b322abb8cc9700a640cc37cb8c32ebfc1eb433184
cfeca443205d577304ec09ae494c96556eb60d80bd9be772ffaeac389043bd92
ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d
faa47da24f0494f637c0264a6d1d53f033a693c5bce624b8e9d4c525dd0e2e9f
fe93d4797dcffea0d8a5bd8dae89f6012fe45fd730e640e18a264d42fa17945e
+ 198 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/201204-phwhnl9lcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e
MD5 hash:
6a6ea7a0cb1dd2a82f0cf43ca95331d0
SHA1 hash:
96e673c652a54915376a477057aaa3648dc6d9c6
Link:
https://www.unpac.me/results/e308485d-426d-4631-9f31-29950522d1d0/
SH256 hash:
f4dae0ad84fc516f544c62b8b7a79568a7ea587235f85b6cb7a8e1cd07e661f5
MD5 hash:
27a2f60d7897d6abc3fc59bb8bf795a5
SHA1 hash:
11fecb9c208e1dfa9a963a20921ca0ff8864ceb6
Link:
https://www.unpac.me/results/e308485d-426d-4631-9f31-29950522d1d0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106756/

Comments