MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989
SHA3-384 hash: bed6c910273f90a6c27a1b742eda330fdcc85e8d76d584c6f5ce8233c27788bdc08a5dfdf9895abe3992d105f7472424
SHA1 hash: 2b5111b0b6dcc8abdeea46cb09821a716b7cff6c
MD5 hash: c43cbc7a07a386c37378c2e71e2ff86d
humanhash: diet-gee-wyoming-princess
File name:COTIZACIÓN.pdf.exe
Download: download sample
File size:1'590'272 bytes
First seen:2021-11-11 17:24:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:NwC08lgqyQuW31BK4D0ARCYzcGRxbxgQpULLiCzJljusVV9rzqxI1QtN:qC0UgqhlFZF1rnxgrLLzusV/rzq+Qf
Threatray 205 similar samples on MalwareBazaar
TLSH T17675232B7A68DD45E13A9536CCEF940413FEBC066D62DB09BECD22CF2D92390286155F
Reporter malwarelabnet
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205096/
Detection(s):
Win.Packed.Msilzilla-9907552-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618d51f0a00afa9663a43381/reports/a9e303b3-a193-4319-9597-7b9bef58a875/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hoetou
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5e0fe04-13c4-442b-bc59-1d553e3396db
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/887649
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520118 Sample: COTIZACI#U00d3N.pdf.exe Startdate: 11/11/2021 Architecture: WINDOWS Score: 100 70 Multi AV Scanner detection for dropped file 2->70 72 Multi AV Scanner detection for submitted file 2->72 74 Yara detected AntiVM3 2->74 76 5 other signatures 2->76 12 COTIZACI#U00d3N.pdf.exe 3 2->12         started        16 Paint.exe 2->16         started        process3 file4 58 C:\Users\user\...\COTIZACI#U00d3N.pdf.exe.log, ASCII 12->58 dropped 90 Injects a PE file into a foreign processes 12->90 18 COTIZACI#U00d3N.pdf.exe 2 12->18         started        21 COTIZACI#U00d3N.pdf.exe 12->21         started        23 Paint.exe 16->23         started        25 Paint.exe 16->25         started        signatures5 process6 signatures7 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->78 27 COTIZACI#U00d3N.pdf.exe 2 18->27         started        30 Paint.exe 23->30         started        process8 signatures9 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->86 32 COTIZACI#U00d3N.pdf.exe 2 27->32         started        process10 signatures11 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->68 35 COTIZACI#U00d3N.pdf.exe 5 32->35         started        process12 file13 50 C:\Users\user\AppData\...\LookupSvi.exe, PE32 35->50 dropped 52 C:\Users\user\AppData\Roaming\...\secdrv.exe, PE32 35->52 dropped 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->80 39 COTIZACI#U00d3N.pdf.exe 3 35->39         started        signatures14 process15 file16 54 C:\Users\user\AppData\...\AeLookupSvi.exe, PE32 39->54 dropped 56 C:\Users\user\AppData\Roaming\...\ProfSvc.exe, PE32 39->56 dropped 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->82 84 Injects a PE file into a foreign processes 39->84 43 COTIZACI#U00d3N.pdf.exe 39->43         started        signatures17 process18 signatures19 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->88 46 COTIZACI#U00d3N.pdf.exe 43->46         started        process20 file21 60 C:\Windows\SysWOW64\7za.exe, PE32 46->60 dropped 62 C:\Users\user\AppData\Roaming\Paint.exe, PE32 46->62 dropped 64 C:\Program Files\...\msoia.exe, PE32 46->64 dropped 66 32 other files (14 malicious) 46->66 dropped 92 Infects executable files (exe, dll, sys, html) 46->92 signatures22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989/
Threat name:
ByteCode-MSIL.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2021-11-10 16:29:55 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6byjc3nt2bvqr5e7nfyzdcdij4y2gnlfqh6m6pgcomcnk7tfgeq._file
Verdict:
malicious
Similar samples:
13b46d9524b436eb825c317fde69b0710f295ab95ead1e9d5c4babe39d9287f8
21c9724029e1b659d1b038844e6c76054d65bbd93fbd416bfe31a5449e835845
45bd7ca68c999b2a4285a3fb80344ec1e8cb25d9b9152f756219c2543f81b10e
673a4571b3bec07ef953c5aaf3b940b4ca622c8919608c8235f9347e6dd512e5
6d239a892a804362a597c30869e82a11f79c66f4fcfd368673027f84aeae3a95
6e7c03c32c1b2166ef09c72da941842263b4902af026154162bf5972146f7048
9131f78f68a82c062393fb196cbedf6965f3179f8cead139c27c4325a4418ad2
b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3
dbccb179b38bd0493f594f5a4bda348c397a70421d2d164144a6911863a478a1
e13cb852ef9d4d654e8614824087ac7298adcb602d6fbc4937ef2ef51642bfb2
+ 195 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211111-vzabssghdj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
91655863c7906a8d20c7c782144f553c027843a72f2fdab2b1ccc80808083af0
MD5 hash:
b5044dd0e9c91b1a9185d491da7d07f2
SHA1 hash:
a9ff8129771d85f77b6a145f750c70e53f51125e
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
3f6f8c38b617efa8f30a9c625c8223cc7c84d778802d052053d8337217401d4c
MD5 hash:
1ea6aabe0a9af2c78407b6a47698e817
SHA1 hash:
c8361a785a13610a21fc4805215231e7e46e76f2
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae
MD5 hash:
4f328caa4aec70994c3f2250ae8702a7
SHA1 hash:
0f8c1b9315a9988adee3320ba77fde0e88e8774f
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
c57394dcdf14ee5770166280e6c8535e990af404c7649cab7ba6156afe4d7983
MD5 hash:
5693725de20432aff515cacbf202b6c3
SHA1 hash:
e337f47898eeac202b08d859bd8292e4b88747c7
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
3d19152074cb90dd3df53dbfb60bb500e3305aecca986d6c91ea058d541bdafa
MD5 hash:
01a21bc538cc7f04c06843d3f85ec8c9
SHA1 hash:
fd28202c609c5648ba78d52544956c3329716ab6
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
9fd9ae97b476042abcaae49dee6cb8463b5ccac3a2cdd7df2feb5bbf0d58ca6b
MD5 hash:
7a8fb2af99495ba9b0c3dbdf1cd350c9
SHA1 hash:
330327cf75d808cacf8375c6220b9ad83372f626
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
ebdaf8b3455373f1e214b7e1bc3866e598270123fc05110e6af36f13aad7d53d
MD5 hash:
6c592156ecec344755c200d9bc860454
SHA1 hash:
8287502a10d374ac25e8712b954a24dca0cdd007
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
2f7a005b9b83aec6dd19e6b53530745d9fdff0590ffca0a8ed8047dc11b3c335
MD5 hash:
927c0ce36865c9f2704cbe8c81c23e83
SHA1 hash:
cf7a9098ec615cdf62f7ccf127b1c71ed4e97550
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
bf8e7e7376483abee4047d5faffb00c34b0faa6551531c112dc422716eeadd32
MD5 hash:
ce490da769ea596e0ded5e50e2bccf99
SHA1 hash:
4382ebc9e5a7986df2a3bdb7c352d3d55703a4fa
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
645b339f8e74b96c421aa876d3d7a56419051024e9ac29c378679b387e6204a8
MD5 hash:
44142d1a1edc973dd0142a910a120380
SHA1 hash:
dc6cd08cb56b4b500d718418f5ba2d68c10890a2
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
a5c50b98d18fc2687a9dee335742a1d0738c3aa21d212af563571336b8e13620
MD5 hash:
2684c88620aba00cbdc13a4aad9dd53c
SHA1 hash:
d3282d6bc451b7522c3056aaa494245ff670636b
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
SH256 hash:
9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989
MD5 hash:
c43cbc7a07a386c37378c2e71e2ff86d
SHA1 hash:
2b5111b0b6dcc8abdeea46cb09821a716b7cff6c
Link:
https://www.unpac.me/results/7ed0a309-e288-4fae-8abe-50eb86b4f96c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/205096/

Comments