MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA3-384 hash: 06feed6b5b3c54d888cf0f9f58936b977b858c4ae5bafa18fe059bf6646ec8841c08f809788499fbd618b85f5cc57d7b
SHA1 hash: 0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
MD5 hash: a239a27c2169af388d4f5be6b52f272c
humanhash: lima-video-mike-bacon
File name:New Text Document.exe
Download: download sample
File size:4'608 bytes
First seen:2023-10-26 07:27:32 UTC
Last seen:2023-12-21 05:15:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
TLSH T16991A705B3E84639D1B64B342DB3C3106A76F5459D77838EBCC4131E6D21B645A22FB2
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:exe LILKOOLL14 mail-bretoffice-com urls-haus-scrapping

Intelligence

File Origin
# of uploads :
3
# of downloads :
307
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/456492/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.2902.8652.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/653a15024ebf05ac3f3a13a0/reports/fcc8a55a-8cf3-4076-87bd-eb67252cc8aa/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a2f43aa-2711-4414-b4af-46d31bb28486
Result
Threat name:
FormBook, Lokibot, NSISDropper, RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1332496
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies the hosts file
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample has a suspicious name (potential lure to open the executable)
Sample uses process hollowing technique
Sigma detected: Stop multiple services
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected aPLib compressed binary
Yara detected FormBook
Yara detected Lokibot
Yara detected NSISDropper
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1332496 Sample: New_Text_Document.exe Startdate: 26/10/2023 Architecture: WINDOWS Score: 100 100 www.yektakhodro.com 2->100 102 www.viteview.com 2->102 104 32 other IPs or domains 2->104 160 Snort IDS alert for network traffic 2->160 162 Multi AV Scanner detection for domain / URL 2->162 164 Found malware configuration 2->164 166 21 other signatures 2->166 12 New_Text_Document.exe 14 16 2->12         started        17 svchost.exe 2->17         started        19 svchost.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 dnsIp5 118 h171145.srv22.test-hf.su 91.227.16.22, 49755, 80 EXIMIUS-ASRU Russian Federation 12->118 120 whitecatcorn.com 8.29.155.210, 443, 49712 NEXCESS-NETUS United States 12->120 124 8 other IPs or domains 12->124 92 C:\Users\user\Desktop\a\tus.exe, PE32 12->92 dropped 94 C:\Users\user\Desktop\a\smss.exe, PE32 12->94 dropped 96 C:\Users\user\Desktop\a\setup.exe, PE32+ 12->96 dropped 98 7 other malicious files 12->98 dropped 198 Drops PE files with benign system names 12->198 23 sbinzx.exe 3 12->23         started        26 autolog.exe 12->26         started        29 audiodgse.exe 3 12->29         started        31 2 other processes 12->31 200 Query firmware table information (likely to detect VMs) 17->200 202 Changes security center settings (notifications, updates, antivirus, firewall) 19->202 122 127.0.0.1 unknown unknown 21->122 file6 signatures7 process8 file9 168 Multi AV Scanner detection for dropped file 23->168 170 Tries to detect virtualization through RDTSC time measurements 23->170 172 Injects a PE file into a foreign processes 23->172 33 sbinzx.exe 23->33         started        36 sbinzx.exe 23->36         started        86 C:\Users\user\AppData\Local\...\pznhcda.exe, PE32 26->86 dropped 174 Antivirus detection for dropped file 26->174 176 Machine Learning detection for dropped file 26->176 38 pznhcda.exe 26->38         started        40 audiodgse.exe 29->40         started        88 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 31->88 dropped 90 C:\Windows\System32\drivers\etc\hosts, ASCII 31->90 dropped 178 Query firmware table information (likely to detect VMs) 31->178 180 Tries to detect sandboxes and other dynamic analysis tools (window names) 31->180 182 Modifies the hosts file 31->182 184 3 other signatures 31->184 signatures10 process11 signatures12 126 Modifies the context of a thread in another process (thread injection) 33->126 128 Maps a DLL or memory area into another process 33->128 130 Sample uses process hollowing technique 33->130 132 Queues an APC in another process (thread injection) 33->132 42 explorer.exe 8 11 33->42 injected 134 Antivirus detection for dropped file 38->134 136 Multi AV Scanner detection for dropped file 38->136 138 Detected unpacking (changes PE section rights) 38->138 140 2 other signatures 38->140 46 pznhcda.exe 38->46         started        48 LkeNkIcFYvnikmw.exe 40->48 injected process13 dnsIp14 112 www.lpqxmz.site 103.120.80.111, 49734, 80 WEST263GO-HKWest263InternationalLimitedHK Hong Kong 42->112 114 collibrishop.online 50.116.112.43, 49723, 80 UNIFIEDLAYER-AS-1US United States 42->114 116 5 other IPs or domains 42->116 186 System process connects to network (likely due to code injection or exploit) 42->186 188 Uses schtasks.exe or at.exe to add and modify task schedules 42->188 190 Adds a directory exclusion to Windows Defender 42->190 50 colorcpl.exe 42->50         started        53 cmd.exe 42->53         started        55 raserver.exe 42->55         started        61 3 other processes 42->61 192 Modifies the context of a thread in another process (thread injection) 46->192 194 Maps a DLL or memory area into another process 46->194 196 Sample uses process hollowing technique 46->196 57 raserver.exe 48->57         started        59 poqexec.exe 48->59         started        signatures15 process16 signatures17 142 Modifies the context of a thread in another process (thread injection) 50->142 144 Maps a DLL or memory area into another process 50->144 146 Tries to detect virtualization through RDTSC time measurements 50->146 63 cmd.exe 50->63         started        148 Uses powercfg.exe to modify the power settings 53->148 150 Modifies power options to not sleep / hibernate 53->150 65 conhost.exe 53->65         started        67 sc.exe 53->67         started        69 sc.exe 53->69         started        78 3 other processes 53->78 71 cmd.exe 55->71         started        152 Tries to steal Mail credentials (via file / registry access) 57->152 154 Tries to harvest and steal browser information (history, passwords, etc) 57->154 156 Writes to foreign memory regions 57->156 158 Injects a PE file into a foreign processes 57->158 73 LkeNkIcFYvnikmw.exe 57->73 injected 76 conhost.exe 61->76         started        80 3 other processes 61->80 process18 dnsIp19 82 conhost.exe 63->82         started        84 conhost.exe 71->84         started        106 parkingpage.namecheap.com 91.195.240.19, 49740, 49742, 49743 SEDO-ASDE Germany 73->106 108 www.lesresort.shop 195.24.68.17, 49735, 49736, 49737 RU-CENTERRU Russian Federation 73->108 110 5 other IPs or domains 73->110 process20
Score:
44%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-09-30 19:47:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tdujl5yrejvdfp5lcuxceqtz3bmxtesdqroenzkqyljscu6gdh6a._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:formbook family:glupteba family:lokibot family:redline family:smokeloader family:stealc family:zgrat botnet:default botnet:kinza botnet:up3 campaign:4hc5 campaign:sy22 backdoor dropper evasion infostealer loader rat spyware stealer themida trojan upx
Link:
https://tria.ge/reports/231026-janbksed42/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Gathers network information
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Program crash
Launches sc.exe
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Themida packer
UPX packed file
Downloads MZ/PE file
Stops running service(s)
Async RAT payload
Formbook payload
AsyncRat
Detect ZGRat V1
Formbook
Glupteba
Glupteba payload
Lokibot
RedLine
RedLine payload
SmokeLoader
Stealc
ZGRat
Malware Config
C2 Extraction:
https://sempersim.su/a15/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
https://sempersim.su/a16/fre.php
http://davinci.kalnet.top/_errorpages/davinci/five/fre.php
http://77.91.68.29/fks/
77.91.124.86:19084
http://host-file-host6.com/
http://host-host-file8.com/
89.23.100.93:4449
http://tetromask.site
Unpacked files
SH256 hash:
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
MD5 hash:
a239a27c2169af388d4f5be6b52f272c
SHA1 hash:
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
Link:
https://www.unpac.me/results/bc5da252-fb05-4ab0-80bb-37bdecb0887f/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/98e895f71122/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MSIL_TinyDownloader_Generic
Create hunting rule
Author:albertzsigovits
Description:Detects small-sized dotNET downloaders
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/456492/

Comments