MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c314173c29d6344fd79b6c2a822ffd345ad3b79a838f30a3a8cfbbf9348d946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c314173c29d6344fd79b6c2a822ffd345ad3b79a838f30a3a8cfbbf9348d946
SHA3-384 hash: 66b330590812be32f760db332ce26c3e7a3f739b9e525eed3e3a794cad98deed5f63df4259eac5ae76b458767b12e6c0
SHA1 hash: c2a4188c6f714c501f4a61b4685491ea8855b261
MD5 hash: cf9dafb365a3716c60c6f24be34b1376
humanhash: uniform-green-seventeen-queen
File name:SKM_C3350191107102300.exe
Download: download sample
File size:347'136 bytes
First seen:2020-10-21 10:00:10 UTC
Last seen:2020-10-21 14:15:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:OzIQHUTY+8Ffb2l/FB66w82AGjzL3JDimRasjP4iidEZ:
Threatray 40 similar samples on MalwareBazaar
TLSH F774103C9EE9263786BBD675C9F5558BF81538833126AC8E94D703520B03B677DC222E
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: condor3828.startdedicated.com
Sending IP: 148.72.158.138
From: Anita Zecic <financemail@nom-uk.com>
Subject: AW: AW: - Invoice request
Attachment: SKM_C3350191107102300.zip (contains "SKM_C3350191107102300.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/73982/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/505654
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301887 Sample: SKM_C3350191107102300.exe Startdate: 21/10/2020 Architecture: WINDOWS Score: 92 23 Antivirus detection for dropped file 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for dropped file 2->27 29 6 other signatures 2->29 7 SKM_C3350191107102300.exe 16 5 2->7         started        11 vlc.exe 14 3 2->11         started        13 vlc.exe 2 2->13         started        process3 file4 19 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 7->19 dropped 21 C:\Users\user\...\vlc.exe:Zone.Identifier, ASCII 7->21 dropped 31 Adds a directory exclusion to Windows Defender 7->31 15 powershell.exe 25 7->15         started        signatures5 process6 process7 17 conhost.exe 15->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c314173c29d6344fd79b6c2a822ffd345ad3b79a838f30a3a8cfbbf9348d946/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 00:08:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqyuc46ctvruj7lzw3bkqix72nc22o3zva4pgcr2rt537e2i3fda._file
Verdict:
unknown
Similar samples:
02fcb6cdd4b61cbf7f40448784a36d0067e618cac935aebf6fd6f482af076ba3
0bd23f7c9dce69a94544e24f503955a0fda75586b8da539e89717ee9c5271f96
3e306d7047d78c4f7381e51c0fa80b840e5fa76b14393195faea2791166671b5
5b38a4755a8300052443ad21fe01717fe6b94ccc1a6747f9a8d8c878a8513df5
60e0625b9dc6a06473b96fd2972c145e71120d7d6a106713c76d7be4ccf75478
6691e9168b039728f0616a60def86e948c4a3a84e3120476c58eff14ef86d239
74d28adc3557d41c3b20e1babb4a9307af0e981e606b505b55a6565c2cbde44c
878d3d77023a927c7dc6aaab23b90cd1203bcd1bacdeedf997692a4c60d24129
8ab8448549ffa379c39811667a25d2e922c6ed440de7ceae541e76b06d315f47
ddbfb1a2ca2a24afe477e841d9bf6ccfd98a1ed0193ea237c31269f26284faa1
+ 30 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/201021-6d464e3eee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
9c314173c29d6344fd79b6c2a822ffd345ad3b79a838f30a3a8cfbbf9348d946
MD5 hash:
cf9dafb365a3716c60c6f24be34b1376
SHA1 hash:
c2a4188c6f714c501f4a61b4685491ea8855b261
Link:
https://www.unpac.me/results/a745e786-2297-4786-bd88-aa0b688ed29a/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 465eacde6510f705e7bf7bf8946917fab4610b60072fd29e486bd66b4a8817b6

Executable exe 9c314173c29d6344fd79b6c2a822ffd345ad3b79a838f30a3a8cfbbf9348d946

(this sample)

  
Dropped by
MD5 c72b78b0f3d80badada6e579ba00dd49
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 465eacde6510f705e7bf7bf8946917fab4610b60072fd29e486bd66b4a8817b6
Cape
Cape
https://www.capesandbox.com/analysis/73982/

Comments