MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670
SHA3-384 hash: 00a5d64039619b5b11994a20e6376a9e26e66ba23c9ffb3c693d9b924b8236c3fc3852f412ac4ea05f40119e4ceaf5fa
SHA1 hash: d6c1b44fdcdf7771b1fbafeb9dbcb95534173ca5
MD5 hash: 2b9c3332c9dbfe3e63ef6391a827b3f3
humanhash: bravo-johnny-magazine-network
File name:2b9c3332c9dbfe3e63ef6391a827b3f3
Download: download sample
File size:855'040 bytes
First seen:2022-09-11 07:26:33 UTC
Last seen:2022-09-11 07:48:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NI34crwQN0Ok90i84m82fP7tdvXSVdOm:NI34AN0Ok90i84m9fP7tdvXA
Threatray 3'166 similar samples on MalwareBazaar
TLSH T1B0056005D167880DE4D3D0F5E4AD38C04FA5BD4EC2A1B2A4B6CF5D0E6BD8DE489E83A5
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
312
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b9c3332c9dbfe3e63ef6391a827b3f3
Verdict:
Malicious activity
Analysis date:
2022-09-11 07:26:59 UTC
Tags:
opendir
Link:
https://app.any.run/tasks/f17e9463-06da-43b8-b16a-1e5e5bb63e2b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309247/
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.30994.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Sending an HTTP GET request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed packed
Link:
https://www.filescan.io/uploads/631d8e0aa90642bcbbffbe2a/reports/2c9967bf-535e-4ebe-8a04-750dfd1ceab1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35b349c0-fb9e-4bfe-a550-20a8adba7556
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1068381
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-11 07:27:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r2dcw43jqytihh2psbkpicbmv6nppwfizegrxpkygh46nibzazya._file
Verdict:
malicious
Similar samples:
0aebdeb98f747dd7c32f0a3644e392fc859be7728d125510ee59ce790d4e93e6
67b1a7835687bf5851cf29539b2d0ce90ab30d373edfcf9ee54237026c67df33
75d64953f0fd593055e9d0c8e23f085dbbcb4a1bbb1c24bbd2e6b80281b09bed
956bd054893f8940d72ec94175b2f063ac759a1f9cee3a0cad7eb3b7871bae2f
a738901fe0f246517e9d1b60c7df29cc9ff4db2ff588e5e28f9bf7e6ff3267a0
accc1335de419c84a5c045da87bb17f741aa1df71ee62c2ea1b8d010e32df890
b17bfed7ccb65140f22de398cfcb56faa877dd36410bac51453f8ad9f1537bda
b811328fd6ddf4562a9f6066fd93193e3a344fc482dd9303c131d81888017b9a
f6c873080547760ab6e3e7d4b59c74cbfb9151275e7aa6f888d251f4549c7e69
+ 3'156 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220911-h94beaehgq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670
MD5 hash:
2b9c3332c9dbfe3e63ef6391a827b3f3
SHA1 hash:
d6c1b44fdcdf7771b1fbafeb9dbcb95534173ca5
Link:
https://www.unpac.me/results/a86e6b32-358b-409f-8d76-1550e5ed1ade/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8e862b73698626839f4f9054f4082caf9af7d8a8c90d1bbd5831f9e6a0390670

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2299384/
  
URLhaus
https://urlhaus.abuse.ch/url/2299401/
Cape
Cape
https://www.capesandbox.com/analysis/309247/

Comments


Avatar
zbet commented on 2022-09-11 07:26:35 UTC

url : hxxp://81.161.229.110/htdocs/pLGWmNxZBDRkiYP.exe