MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f64cada1ae0ce078000eb696cb584e8614611f0f1efabb0487fcf853fd8415e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	8f64cada1ae0ce078000eb696cb584e8614611f0f1efabb0487fcf853fd8415e
SHA3-384 hash:	c0f8508fffa044eecd03404addc02c0cfb13709867ede051024baa7a575e403a89561220c86341d8a194d20237ed7d6b
SHA1 hash:	340a62b58e58c64ee36ebecbf9a23e37a34520e7
MD5 hash:	466f9251ef93eecc124eeba1de769ff8
humanhash:	six-quiet-seventeen-maryland
File name:	SecuriteInfo.com.W32.AIDetectNet.01.14158.14188
Download:	download sample
File size:	499'712 bytes
First seen:	2022-06-27 13:50:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:RcMxDDjxd/YT5YA8pZo/Vrmr/rceCOuxDexasIw0OrO2zBXfW3uM1EPHx0IOqbmg:RcMRDj4Oo/VyrDLuZz/wVtVfWrmRVO9
Threatray	1'559 similar samples on MalwareBazaar
TLSH	T144B4015AB6E3ED56C1B56633E0E20610277E63C71A27EB1FA2CDB25D0D123DDC8126C6
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	b2f949b1bafab8b0 (18 x AgentTesla, 17 x Loki, 17 x Formbook)
Reporter	SecuriteInfoCom
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/283595/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/62b9b60c7e9a4f0a86e8c78d/reports/1fe90ddf-73a5-4f28-b8b2-64523d12358c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec2c69af-e480-4cd2-b43e-bf1f557cdd70

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1020499

Signature

.NET source code contains potential unpacker

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8f64cada1ae0ce078000eb696cb584e8614611f0f1efabb0487fcf853fd8415e/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-06-27 10:29:10 UTC

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=r5smvwq24dhapaaa5nuwznme5bqumepq6hx2xmcip7hykp6yifpa._file

Verdict:

malicious

2b612a5101a5cd19cbf0f7476308c7d29a58e33db933a8659063d09f6cc68b66

3494aedb31c48348dec897c6ff16ea0a682a7ca292b84f912306e4877c10b1c4

3ebffe25deb8f02e10b07eab7085d67df052230f976c3a5b49ceb0df69e24b47

42b0ccbc2545a60b0aefdce149c1d3e766293ba645afb3d1ba905be1dc765fe9

9ad345178baa52adf43ebd200240aafb4e258b47c986ea270b41ab1f209bda40

b8cbb6eb983f4da1bd769e24a8c0e0e0f703649cbfe71314a9b672317f548a31

b91bc0502520088a6dc736f33af703305dc0c17ad94085ac6f4f9a027a9757a4

e27453058e55d6e38040a68bbe21c41e26d058e93c8c9b457f09a9f1722d04e7

f9f0ee1a3ac1ae5260be8397d9b610b960971a9df353f41be9fa4596aff5eff3

+ 1'549 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/220627-q5s9msdee8/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

0aa8ea56f670ef5041fe87ee1a27b6623c2cf7996ed489214aa076996ca40cac

MD5 hash:

faf84cab64260654988db2f9157f8f89

SHA1 hash:

e1e6ebeaf252c78e74c1355cdefc6a2c52cfab70

Link:

https://www.unpac.me/results/c88929be-8ed6-4779-95cf-e73e072b5300/

SH256 hash:

0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c

MD5 hash:

843aa6edf83bff7b61c6a5369ef41e95

SHA1 hash:

d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085

Link:

https://www.unpac.me/results/c88929be-8ed6-4779-95cf-e73e072b5300/

SH256 hash:

6eb5a9625ce346bf7294e29ee01536d231eac142658676ad328ce9e3b6a5b9c4

MD5 hash:

471a3f8484b2b90dda70f104e9b9fb7c

SHA1 hash:

3f173c9b792cf44c94bfeae77a44a1c0411fd8d3

Link:

https://www.unpac.me/results/c88929be-8ed6-4779-95cf-e73e072b5300/

SH256 hash:

8f64cada1ae0ce078000eb696cb584e8614611f0f1efabb0487fcf853fd8415e

MD5 hash:

466f9251ef93eecc124eeba1de769ff8

SHA1 hash:

340a62b58e58c64ee36ebecbf9a23e37a34520e7

Link:

https://www.unpac.me/results/c88929be-8ed6-4779-95cf-e73e072b5300/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/8f64cada1ae0ce078000eb696cb584e8614611f0f1efabb0487fcf853fd8415e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/283595/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample