MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed
SHA3-384 hash: 624aaff5b527d51c3e8bc19594d94375323e98ce89595be2487e6e6c669ead01007b7f6e697dc1ec1cc7af61160a3ad2
SHA1 hash: a23fa848039b0dcc6157955c1aa970ca43b1c5a9
MD5 hash: fca617cb20ed571feb12281023cb6787
humanhash: magnesium-september-pluto-california
File name:SOA.exe
Download: download sample
File size:406'016 bytes
First seen:2020-10-19 10:24:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:kF/ajU32C/zl76OW2ZDbn2ZPVb41MLy+B0wYlxebrGyxKtoIuh+Y+5tyL:ktajU3Z6SHmHLy+BMoPUoIdAL
Threatray 21 similar samples on MalwareBazaar
TLSH 1284552539BF940DF172AE7ADEC4B1B58A1BE772210AE1792062C3070A13B87DF9D535
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: nom-uk.com
Sending IP: 103.99.1.143
From: Alan Barboza <admin@nom-uk.com>
Subject: SOA AUG 2020
Attachment: SOA.zip (contains "SOA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72886/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/495232
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300073 Sample: SOA.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 72 26 Multi AV Scanner detection for dropped file 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 32 3 other signatures 2->32 7 SOA.exe 16 5 2->7         started        12 vlc.exe 14 3 2->12         started        14 vlc.exe 2 2->14         started        process3 dnsIp4 24 192.168.2.1 unknown unknown 7->24 20 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->20 dropped 22 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 7->22 dropped 34 Adds a directory exclusion to Windows Defender 7->34 16 powershell.exe 24 7->16         started        file5 signatures6 process7 process8 18 conhost.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 08:30:42 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzfkynjxrpc2i5b7upl7h2bnzan6tl22bufrtkmm7ha3svyou7wq._file
Verdict:
suspicious
Similar samples:
1e9ff9549343dcb17dcb137508657a94e5503579e0e0741443b27c732b62fa5c
1f6ec588edbf2a5b1796f89ad775229cad1066bc93607baa8993a19323be34e8
3a98a6f65a651d7fdc6b147ab1baceebcc31576fccb4ff4d7c516bcad6d7c20b
8f9f89be357d1d17b6281bf9f6caebfa97fdbfcb6aec50e4aa147d0e24e909e7
92715192ee868e9d408f9449893688c609bb81fb522f9af00f9cf8caeaf098a2
b8ad7398bf812d51b21f9ec51b8ffba7d3830dac0a949f09acea087066f4368b
c0b81523511df7b87111c6d4d849f08326e22a15adeb15a203feb8ce5ca56a75
eed41a2c1215d2ca0ef2022172504a565b7a968e6263e173fceb6f1b1747d795
f4c25b70ae9ea0c7f4a7f028011167b7154ded11a0b8e90b1c7570ba9af1f2f2
fa655773a5d44061edbaeedb2b3e31597bcefe870c47fdefdb39ea0bb072d31d
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201019-9x45y225la/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed
MD5 hash:
fca617cb20ed571feb12281023cb6787
SHA1 hash:
a23fa848039b0dcc6157955c1aa970ca43b1c5a9
Link:
https://www.unpac.me/results/51d00108-9a23-4db7-97b1-4c09b6d790df/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 887a9c47f50a2ac28bd10f1a44e1e5a5862e018a7cdb793b8485c2c044b281c6

Executable exe 8e4aac35378bc5a4743fa3d7f3e82dc81be9af5a0d0b19a98cf9c1b9570ea7ed

(this sample)

  
Dropped by
MD5 9fb51acb0fa9d3d55dffbb9e1fa374df
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72886/
  
Dropped by
SHA256 887a9c47f50a2ac28bd10f1a44e1e5a5862e018a7cdb793b8485c2c044b281c6

Comments