MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98a835c2be0b56df2a4a165bb9f437f18edd844e90e0e3a9ef5a6140476ccd9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98a835c2be0b56df2a4a165bb9f437f18edd844e90e0e3a9ef5a6140476ccd9c
SHA3-384 hash: b6b0ed48d19ec950fa54bf8ac828604310f9638cd7c7cfa48aa378fc66dcd3291d11ca5695bfe35ab6291df0f3ff8a91
SHA1 hash: b2f9a493a5390006aae5a5c93da49c9b7ef27b3f
MD5 hash: fa8354e9715ed8e745403b6f8f163f50
humanhash: xray-oranges-oklahoma-video
File name:SecuriteInfo.com.Trojan.MulDrop6.57674.13164.17033
Download: download sample
File size:1'241'088 bytes
First seen:2022-04-14 10:33:51 UTC
Last seen:2022-04-20 10:21:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'013 x AgentTesla, 19'919 x Formbook, 12'332 x SnakeKeylogger)
ssdeep 12288:dh6hRfrfjZ59qaVZiBGdxNl3PRdeLNnskrEWq+mrqGr:89nZqoiiDhRYL+krTq+mmG
Threatray 2 similar samples on MalwareBazaar
TLSH T11D457D157BE4C532E1B23E305C71C2B16E7A3CA36934C11FBAC87A6E1A717909E513A7
TrID 58.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
21.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
3.1% (.EXE) Win64 Executable (generic) (10523/12/4)
1.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 697171f0f0f0f0f0
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.MulDrop6.57674.13164.17033
Verdict:
No threats detected
Analysis date:
2022-04-14 10:59:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/223957e6-9408-4e54-8412-5a8403b1e4f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263650/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop6.57674.13164.17033.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Sending a custom TCP request
Creating a file in the Windows directory
Creating a service
Launching a service
Searching for synchronization primitives
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control.exe greyware greyware obfuscated packed packed pnputil.exe remote.exe replace.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6257f8a8eab80a7a6c12178b/reports/6d509cf2-2283-4b36-b1ac-9f804f9f236b/overview
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68d13ce3-995d-4464-86e1-ec6d01d48817
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/976734
Signature
Detected unpacking (overwrites its own PE header)
Drops executables to the windows directory (C:\Windows) and starts them
Found PSEXEC tool (often used for remote process execution)
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 609220 Sample: SecuriteInfo.com.Trojan.Mul... Startdate: 14/04/2022 Architecture: WINDOWS Score: 64 33 Multi AV Scanner detection for submitted file 2->33 35 Drops executables to the windows directory (C:\Windows) and starts them 2->35 37 Found PSEXEC tool (often used for remote process execution) 2->37 7 SecuriteInfo.com.Trojan.MulDrop6.57674.13164.exe 6 2->7         started        10 PSEXESVC.exe 2->10         started        12 svchost.exe 9 1 2->12         started        15 4 other processes 2->15 process3 dnsIp4 27 C:\zbxcdc\PsExec.exe, PE32 7->27 dropped 29 C:\zbxcdc\Anti-Registration.exe, PE32 7->29 dropped 17 PsExec.exe 1 2 7->17         started        20 Anti-Registration.exe 2 10->20         started        31 127.0.0.1 unknown unknown 12->31 file5 process6 file7 25 C:\Windows\PSEXESVC.exe, PE32 17->25 dropped 23 conhost.exe 17->23         started        39 Detected unpacking (overwrites its own PE header) 20->39 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98a835c2be0b56df2a4a165bb9f437f18edd844e90e0e3a9ef5a6140476ccd9c/
Verdict:
unknown
Similar samples:
195014dababb9cb3fc685529d52dcd58a764f231a59b07a68f6673c454d831ee
454a4609c2eca473ad3c382cb3df9dff311070b0387ca397ada4483c9348aed9
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220414-ml4pgsbab7/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
772ef0d6e34c878aee296c38b9406e2604eeba60796cb1fad04e738a933900c9
MD5 hash:
744459fa9d1322f7869641f65c4234f1
SHA1 hash:
6cbeba4fb6ceadce4398837015042eb9ebd849e6
Link:
https://www.unpac.me/results/71682964-7c2d-424f-8944-60e4400b7f76/
SH256 hash:
32608bf9f26a3e5ec479d9985a55fde92133e6cd61ffdab034b01ed8e17977e7
MD5 hash:
8f5034b13695864b2e6f137ce7bc4f1e
SHA1 hash:
1505c9bc1325d29b3e31944ba376f8c71d6758dc
Link:
https://www.unpac.me/results/71682964-7c2d-424f-8944-60e4400b7f76/
SH256 hash:
98a835c2be0b56df2a4a165bb9f437f18edd844e90e0e3a9ef5a6140476ccd9c
MD5 hash:
fa8354e9715ed8e745403b6f8f163f50
SHA1 hash:
b2f9a493a5390006aae5a5c93da49c9b7ef27b3f
Link:
https://www.unpac.me/results/71682964-7c2d-424f-8944-60e4400b7f76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/98a835c2be0b56df2a4a165bb9f437f18edd844e90e0e3a9ef5a6140476ccd9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/263650/

Comments