MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9
SHA3-384 hash: 00bdbf2095d72f166453e09bcc68050b58689307b9fd631808e530e91321e80e38ace292924a49dd699dd671d01ca5d4
SHA1 hash: 1930fdd5a98eb2f5307a5a4b5bda535985352d5b
MD5 hash: db0b8c1100f32aafe63cb885a30cc7e0
humanhash: vermont-double-ten-cat
File name:db0b8c1100f32aafe63cb885a30cc7e0.exe
Download: download sample
File size:528'752 bytes
First seen:2020-11-19 06:10:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:fIlzItPXJmw7McymDu+clSewXW6A2duL1UCTT5S8fDA6RAKzhq/e4unXk6TVYTMm:wu/ow7rydwGfUCTVA6RXzhzFUu/
Threatray 47 similar samples on MalwareBazaar
TLSH 1BB410F440AF50A2F28B8956366EBDA441B2F1C7EBDA5D08137CE6311BBDA533B0464D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/542254
Signature
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320225 Sample: EhXZGbozVF.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 80 51 Multi AV Scanner detection for submitted file 2->51 53 Machine Learning detection for sample 2->53 55 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->55 8 cmd.exe 1 2->8         started        10 EhXZGbozVF.exe 3 2->10         started        13 taskkill.exe 1 2->13         started        process3 file4 15 pitepdil.exe 1 8->15         started        18 conhost.exe 8->18         started        49 C:\Users\user\AppData\...hXZGbozVF.exe.log, ASCII 10->49 dropped 20 EhXZGbozVF.exe 4 10->20         started        23 conhost.exe 13->23         started        process5 file6 57 Antivirus detection for dropped file 15->57 59 Multi AV Scanner detection for dropped file 15->59 61 Detected unpacking (overwrites its own PE header) 15->61 25 powershell.exe 22 15->25         started        27 powershell.exe 20 15->27         started        29 powershell.exe 15->29         started        33 4 other processes 15->33 47 C:\Windows\Temp\pitepdil.exe, PE32 20->47 dropped 31 cmstp.exe 9 7 20->31         started        signatures7 process8 process9 35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 00:27:39 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2bea53a14d59fc7d772ea805af47b3b8ddddbf201a7e8d9e7ebd7ca422702a30
36e711a66774ed0b6457f8d442315a4d1b5d06781a8ab1254abda5ba824bb816
463ca08ac1072947eaa864e2f94e3703b1e9826543e194be0b45e2aa20331872
6c48ef627ef59ceb65a7bc0dc24b8df5c9127a37b033c8aef5a1851b4f107a3b
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb
77d3172d77aa45c61b8563dcb13b26bd2f8f9fb4cbc2fcc966966a26f316ba56
8f00b0da22ad089cc4f9e26d98d4f2000ea0cba3add268d471be4f027c1a965c
bee8a143562146fc38a4d02e59d2f2e280dc0a547cda9983dfde0aacdea4e99e
cfda81fea66e56fe0f6a8eed267b836f31c7c3f1d7ecdf08fb0c13f8203e7dcb
ef9d0a47d16301129755a6d9570f1f1bdc167bfee3d6649aad9835366920bf25
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201119-eptzftnqwe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9
MD5 hash:
db0b8c1100f32aafe63cb885a30cc7e0
SHA1 hash:
1930fdd5a98eb2f5307a5a4b5bda535985352d5b
Link:
https://www.unpac.me/results/a26644ff-6a39-471f-bd0d-42b9f6268483/
SH256 hash:
087d0c0315da38a9c29aab66a628d05b169013d8135de9652e6a83bee15e8d8d
MD5 hash:
215d10c58de49c8d224e9a77d42961db
SHA1 hash:
2bb0effd16fb00c44aa78ba949a0e0d9a1cb4f94
Link:
https://www.unpac.me/results/a26644ff-6a39-471f-bd0d-42b9f6268483/
SH256 hash:
83c08f0721c8b0c96e3d6a8f3ccaf5c96fbcc427d574625c34424c3429fefaa1
MD5 hash:
3c5dbcc3bb27e913e14efd8054811373
SHA1 hash:
b0eba9388abddaef9d5aa49ccd5dbab2924cced0
Link:
https://www.unpac.me/results/a26644ff-6a39-471f-bd0d-42b9f6268483/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/a26644ff-6a39-471f-bd0d-42b9f6268483/
SH256 hash:
4479ba10449b4a122cbf07b1ae2279f7e38d392947766b3bc145333019a0bc88
MD5 hash:
ebb82b3a55b63939fe203d7fa903e83b
SHA1 hash:
e813868732c6f8bba34589b39070a4cfa8e3b366
Link:
https://www.unpac.me/results/a26644ff-6a39-471f-bd0d-42b9f6268483/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9e3de16534dd2d0faa9c5a86276faf3822f7db00d651a0f3d9e337fbb5a47db9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/446500/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/439722/
  
URLhaus
https://urlhaus.abuse.ch/url/686533/
  
URLhaus
https://urlhaus.abuse.ch/url/831918/

Comments