MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0
SHA3-384 hash: 4cfc544d7b7341af419545bf922a786ce1d7437b2cb3a18c78e9dd7b3d936e714df6fde822c2fd0263f3a9d3fb2f84b9
SHA1 hash: 2fd1efe5dee56cae61d8359b28faa358255bdcb3
MD5 hash: 0af11be93fd49bde3f5dc03a3b92cbb9
humanhash: saturn-five-oklahoma-uncle
File name:0af11be93fd49bde3f5dc03a3b92cbb9
Download: download sample
File size:187'904 bytes
First seen:2022-03-29 09:01:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:aIPL/4bO5T3R8c3byDhlDWEFuWj+98D5beukwA7M9SqFZR1hEgtqy2Q:HL/4bYRLglDWj98Jfkz7M9x5Uy2Q
Threatray 13 similar samples on MalwareBazaar
TLSH T1020400EACB69C27DC5472770D4F0F5F08249ADACC5428E0B92647F2B33725862997C97
File icon (PE):PE icon
dhash icon ccb24d69554db2c4 (5 x Smoke Loader, 2 x AZORult, 1 x AgentTesla)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259092/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.GLW.genEldorado.32112.8380.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6242cb0ca19c649412a4ecc5/reports/6b45d2ad-e401-471a-9982-74a6c48bd5d5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/50612077-34ce-4c0d-bbbd-ccf44745858a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/966597
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599092 Sample: MPVPgm6dV7 Startdate: 29/03/2022 Architecture: WINDOWS Score: 52 26 Multi AV Scanner detection for submitted file 2->26 28 .NET source code contains potential unpacker 2->28 8 MPVPgm6dV7.exe 15 3 2->8         started        process3 dnsIp4 24 sinhviendien.com 194.59.164.176, 49734, 80 AS-HOSTINGERLT Germany 8->24 11 WerFault.exe 23 9 8->11         started        14 cmd.exe 1 8->14         started        process5 file6 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->22 dropped 16 timeout.exe 1 14->16         started        18 conhost.exe 14->18         started        process7 process8 20 conhost.exe 16->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-03-29 09:02:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
17 of 26 (65.38%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
1c476c0784486ed82583ae459f3ff12b42de483e19116ac879cfafe2d75d8d0c
20d4be06e6eb3b24ad927696a212f26651e0bbba4f04078cc2d6b67679ab48e5
39b351ef5277e274be877b71e44f126e0c83744c62d4f4163ff7639d0386bdc0
aeab503c3cd3b3d5206ba0ae473f62901a5e0a2f5ac342317b575d625d8061cc
b57d7fdc13da4ebc56c644bccaa32e31150121eee06bd74f609e2f89f4b63c1b
c2af46184ff730426a4867787fd7fb15737a3144f999b18d7b2fe0c67c0927a7
c5dacb79bb5f1021b128deef833d1c45bea09c6c27a4a0da9f090509f256ec52
f2eef408d5e84efd502484da5b61b0a128bc39023cdda2aedc3acccfef46b100
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220329-kze7yahabm/
Behaviour
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0
MD5 hash:
0af11be93fd49bde3f5dc03a3b92cbb9
SHA1 hash:
2fd1efe5dee56cae61d8359b28faa358255bdcb3
Link:
https://www.unpac.me/results/c593e5b4-28f2-47e9-91d1-c0de5529745e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8e6a13a9bfd37d8f6ef83a6157de9f9c1d44d19073ffb7801cf13a44425296f0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2118533/
Cape
Cape
https://www.capesandbox.com/analysis/259092/

Comments


Avatar
zbet commented on 2022-03-29 09:01:14 UTC

url : hxxp://192.210.219.44/77/vbc.exe