MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7
SHA3-384 hash: 6795bc08d8444902f337301447d9a2e14948daa426c68694e3ba07e690a5b758edabf2bc741dac49f55ae7bf05afe696
SHA1 hash: 92492491c099548f7a4aa72e13591346aa9043a7
MD5 hash: 9e36f3be11487905143c49ba9cd45d77
humanhash: undress-sad-quiet-kentucky
File name:file.exe
Download: download sample
File size:1'693'184 bytes
First seen:2023-02-23 08:13:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:q1LqY5nbY/2D2wHRsdOsFLgr1eX1ilxf6fDrykBi/3dm96Td833t9gydJYo8+Ecs:yUTGT233BM1cTkNwZdx
Threatray 2'287 similar samples on MalwareBazaar
TLSH T1C875CFF1310BBE4E5B672DC7F90436324C5CAE6F5B65C248FFD80EE412A61199DA48B8
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter abuse_ch
Tags:dropped-by-gcleaner exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
237
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-02-23 08:16:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8c216db0-d05b-4521-8380-83fdc21e7c45

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/369185/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/63f7204ed385ee5858516098/reports/5a9e8213-b482-47ac-be3b-11f97a18ad46/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0388f3c0-422e-4387-bdf8-3729fbee04f5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1181131
Signature
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813962 Sample: file.exe Startdate: 23/02/2023 Architecture: WINDOWS Score: 76 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Costura Assembly Loader 2->44 46 Yara detected Generic Downloader 2->46 7 file.exe 1 5 2->7         started        11 Vxnxaesgo.exe 2 2->11         started        13 Vxnxaesgo.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\...\Vxnxaesgo.exe, PE32+ 7->34 dropped 36 C:\Users\...\Vxnxaesgo.exe:Zone.Identifier, ASCII 7->36 dropped 38 C:\Users\user\AppData\Local\...\file.exe.log, CSV 7->38 dropped 48 Encrypted powershell cmdline option found 7->48 50 Modifies the context of a thread in another process (thread injection) 7->50 52 Injects a PE file into a foreign processes 7->52 15 file.exe 2 7->15         started        18 powershell.exe 16 7->18         started        54 Multi AV Scanner detection for dropped file 11->54 20 powershell.exe 11->20         started        22 Vxnxaesgo.exe 2 11->22         started        24 powershell.exe 13->24         started        26 Vxnxaesgo.exe 13->26         started        signatures5 process6 dnsIp7 40 23.95.128.211, 7701 AS-COLOCROSSINGUS United States 15->40 28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 24->32         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-02-23 08:14:11 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tg2sv3u7wssyb2wzcjip76pzgbeeyu7wtxqplhv7khrk5qedo3tq._file
Verdict:
malicious
Similar samples:
216aff751115d8cb76f6e1304f27ae08d2669e63307e6063a41a44b011e1092c
35972ee59b320666b4a57606c57aaba684d63633e32b28950a7ba6a76462f521
5d8e70acefcbcc2eff05078efbea2c82d7a051edaabfa4caaf6d48fc9d6644e3
64e887eda2c85f7fad852dc987507792c58522703e9e0dcdb2b35dada1807904
a902469714ec172e7d2fde514e058670f21d8a5dba89241fd4f3ccc23baf4288
bc2f9fb51d4da2cf6a3009c0540ad2031a544dad8d37a3c262728e2012d60f2c
d866999cf2f0aa7f45e78c025cf983f2c3633370af50c645203eca1f71273497
e786277086340b57fe809a77cf9ccf0637c59d049abd8b54588fc6193dd2bdf8
fa8d8657315c0ff3057652f4b34194de08fa9d2ff3028ad2043b53c551851358
+ 2'277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230223-j4z78sha5w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7
MD5 hash:
9e36f3be11487905143c49ba9cd45d77
SHA1 hash:
92492491c099548f7a4aa72e13591346aa9043a7
Link:
https://www.unpac.me/results/d6df40e0-a7f4-44eb-a4e5-9ce97e83f7de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/99b52aee9fb4a580ead91250fff9f930484c53f69de0f59ebf51e2aec08376e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369185/

Comments