MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f27be1ecb81ba8321027a1ad30f3edb5c4e6317c38facdd8059847de2f8f72b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	8f27be1ecb81ba8321027a1ad30f3edb5c4e6317c38facdd8059847de2f8f72b
SHA3-384 hash:	bd49c5975475f3b87426359e0388554112f426a5b7182f73cba5d4c464e746d3d47f09efd9b039a833db62873b8251b7
SHA1 hash:	9169dfb7ba7302aaf7f5df410fe9db5fea21b817
MD5 hash:	eedbd28ff032dc43367c03e90ab06c61
humanhash:	lithium-lion-hawaii-undress
File name:	SecuriteInfo.com.Trojan.GenericKD.36471379.15757.8859
Download:	download sample
File size:	48'296 bytes
First seen:	2021-03-09 10:49:39 UTC
Last seen:	2021-03-09 14:26:40 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	768:uVKXyLSO6NGY8k6Ex1ST7gYjJTyjoIun8vgh8:oL8GY8k6USTfjJTyjor8v9
Threatray	34 similar samples on MalwareBazaar
TLSH	C32373B03AEF8012E5FABEB62FC43FE2581D7B85390A709AA4090261AD32715DCD5D35
Reporter	SecuriteInfoCom
Tags:	signed

Code Signing Certificate

Organisation:	viAySHmYVBRSiymohNhewbPRydjHq
Issuer:	viAySHmYVBRSiymohNhewbPRydjHq
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-08T05:36:58Z
Valid to:	2022-03-08T05:36:58Z
Serial number:	8280be14cb98a147f78ccf974ca05528
Thumbprint Algorithm:	SHA256
Thumbprint:	a719d74d66b97920d210c2959d60da2be721e1f3cc48b00c19800c5c9aa9c311
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PO.doc

Verdict:

Malicious activity

Analysis date:

2021-03-08 15:03:36 UTC

Tags:

trojan exploit CVE-2017-11882 loader

Link:

https://app.any.run/tasks/21c6cc6a-1d7f-41ca-a83b-8692a6962ced

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123134/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.36471379.15757.8859.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

DNS request

Sending an HTTP GET request

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/632627

Signature

Binary contains a suspicious time stamp

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Generic

Status:

Suspicious

First seen:

2021-03-08 12:57:47 UTC

File Type:

PE (.Net Exe)

AV detection:

13 of 47 (27.66%)

Threat level:

5/5

Verdict:

suspicious

07c81cceba2e04d6daebd227f37525bd931d19491dc6dc903e99b0176f1a9252

1af396b600d9042cc765acfe776e777ea209198d5e50a90a3052310921c1caa7

84858fb9b1e2533886a654de52671d91b9d9d7f77ecc7a883d6f03821376b3c3

93dcb5e481c554ccc133ee14c20fcb50739cabc678759030fc39c2d9469c71a9

adbfaef61c436d79f0ab2c890570f73ae979609feafd21d9932e86641aac05dd

cbf445acf88f00bf98448420369d09bb35264d53667272e3363fae6378fa7a1b

d2fdd26effc669ec89f294c59ba3bd55a698c75fe89404655b6b010ef76f2237

ee93164d6493fe2cbb9382928a863ef04651f0c1ec81409c4601349b19db57db

fc6ea0c4fe6733f5e28ff0476efbacb55d2f8ce35e4313988454f77c819afb56

+ 24 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210309-9gtkxene3x/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

8f27be1ecb81ba8321027a1ad30f3edb5c4e6317c38facdd8059847de2f8f72b

MD5 hash:

eedbd28ff032dc43367c03e90ab06c61

SHA1 hash:

9169dfb7ba7302aaf7f5df410fe9db5fea21b817

Link:

https://www.unpac.me/results/4313bbf6-cfcb-428c-8b72-9ddf44b965f8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/8f27be1ecb81ba8321027a1ad30f3edb5c4e6317c38facdd8059847de2f8f72b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe 8f27be1ecb81ba8321027a1ad30f3edb5c4e6317c38facdd8059847de2f8f72b

(this sample)

Cape

https://www.capesandbox.com/analysis/123134/

URLhaus

https://urlhaus.abuse.ch/url/1056299/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample