MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60
SHA3-384 hash: f77adceb4490446437d6a7de6212fd9d846916f56acfa91e5b6963ea9f7954242d258f09482cf481113553202fdf2213
SHA1 hash: 56822fac1f9e6bf2ac125a498cf8b94363fd4c96
MD5 hash: adc46f04e0a3109a590bd96496db9faf
humanhash: connecticut-twelve-eight-nine
File name:adc46f04e0a3109a590bd96496db9faf
Download: download sample
File size:7'996'928 bytes
First seen:2021-07-08 10:27:58 UTC
Last seen:2021-07-08 13:48:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:A46QM4FuzAj5POEqy1KsJvbEtjNp/aHOJXZcgG0esel1G:rjCAjJOE2sJvwthxw0esel
Threatray 357 similar samples on MalwareBazaar
TLSH T16D8633C256414CB4C088F2F8FF2D9A054D2AED88F69568B6202DFD250FB6A57D904FB7
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
adc46f04e0a3109a590bd96496db9faf
Verdict:
No threats detected
Analysis date:
2021-07-08 10:32:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4afc2637-b909-4404-83c7-565c8365bb08

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170400/
Detection(s):
SecuriteInfo.com.generic.ml.29696.21428.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/90671760-caf5-4832-a9b4-61eac68686fc
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813391
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: WScript or CScript Dropper
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445802 Sample: JddwTbs2sf Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 40 Antivirus detection for dropped file 2->40 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 5 other signatures 2->46 8 JddwTbs2sf.exe 3 12 2->8         started        process3 file4 30 C:\Users\user\AppData\Roaming\...\USB.exe, PE32+ 8->30 dropped 32 C:\Users\user\AppData\...\JddwTbs2sf.exe, PE32+ 8->32 dropped 34 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->34 dropped 36 4 other malicious files 8->36 dropped 48 Creates an undocumented autostart registry key 8->48 50 Writes to foreign memory regions 8->50 52 Modifies the context of a thread in another process (thread injection) 8->52 54 2 other signatures 8->54 12 wscript.exe 1 8->12         started        15 JddwTbs2sf.exe 8->15         started        17 AdvancedRun.exe 1 8->17         started        20 5 other processes 8->20 signatures5 process6 dnsIp7 56 Wscript starts Powershell (via cmd or directly) 12->56 22 powershell.exe 23 12->22         started        58 Antivirus detection for dropped file 15->58 38 192.168.2.1 unknown unknown 17->38 24 AdvancedRun.exe 17->24         started        26 AdvancedRun.exe 20->26         started        signatures8 process9 process10 28 conhost.exe 22->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 10:28:14 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0db50b639d859d3ddf9aa74f96d12f7ecb189a0b3006a7ed1cfd73edbc34d220
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
78baec19444d923fde30977dacb85fada9247b9e3ae150f32a1137e7fc0b8dfb
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
aead53d435ef092724b8b034e1472b9391e0bd1d742f00fd39a1dd1e7cb5ba06
c3528956666ac901c406c13e9b265cb805424e91919db91a1fe2227ffbc15c7a
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
ca146513d9ec6ec60b81b20fd9aa2f262c54d447e8361417c3c4b7678e51e6a5
e9573722d616d444c71e82f1ac6973921f3c942af4403760e0292b3ebf9159b0
+ 347 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://tria.ge/reports/210708-avnh3nypr2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Loads dropped DLL
Executes dropped EXE
Nirsoft
Unpacked files
SH256 hash:
913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60
MD5 hash:
adc46f04e0a3109a590bd96496db9faf
SHA1 hash:
56822fac1f9e6bf2ac125a498cf8b94363fd4c96
Link:
https://www.unpac.me/results/c5156041-72aa-45f3-89f7-2acd7028c436/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 913accbcc9537c110e0ec272f0aaafa7e8a1fd1a3f525fa7d961ce894a246a60

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1435856/
Cape
Cape
https://www.capesandbox.com/analysis/170400/

Comments


Avatar
zbet commented on 2021-07-08 10:28:16 UTC

url : hxxp://porncamsworld.com/app.exe