MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a
SHA3-384 hash: 72b2d011fcbddee338150a22761c8ce54a17ffd6afe558edbe2b080fe2127b11b26a90f07e147a89ed61a41ceed35e01
SHA1 hash: abc1e0a0afb8f99478d0e1ebd8f9a709e6c61c7d
MD5 hash: 6ac016c8fbfac89238bd6d7e87a2f727
humanhash: spaghetti-five-robert-emma
File name:SecuriteInfo.com.Trojan.PackedNET.405.21504.26367
Download: download sample
File size:210'944 bytes
First seen:2020-08-24 10:50:36 UTC
Last seen:2020-08-24 15:12:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:PbWBGAQnY8j59+CpoHH8FHpHIPxRf3k23v1znTNB:PyZon5tpzpHCvf3kcv1znTT
Threatray 145 similar samples on MalwareBazaar
TLSH 8524AF48B514B29FC86E8D3AA9541C74876032B7670BF3439D0399DAAE1DBD3CF119E2
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
4
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50249/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.21504.26367.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/447502
Signature
Antivirus / Scanner detection for submitted sample
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 276076 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 24/08/2020 Architecture: WINDOWS Score: 72 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Machine Learning detection for sample 2->43 45 2 other signatures 2->45 8 SecuriteInfo.com.Trojan.PackedNET.405.21504.exe 3 2->8         started        process3 file4 37 SecuriteInfo.com.T...T.405.21504.exe.log, ASCII 8->37 dropped 47 Injects a PE file into a foreign processes 8->47 12 SecuriteInfo.com.Trojan.PackedNET.405.21504.exe 1 1 8->12         started        signatures5 process6 signatures7 49 Disables Windows Defender (via service or powershell) 12->49 15 powershell.exe 25 12->15         started        17 powershell.exe 20 12->17         started        19 powershell.exe 12->19         started        21 11 other processes 12->21 process8 process9 23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        35 8 other processes 21->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 14:44:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
263573ece93d13d69ed99ea6be5715ca5b15e1877ed09a274ca9cf55f4d16a22
45eac93db3a0554afa555fdfced45c8bd9d5c973d05f3e4b40219be984dd0d28
5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f
673aa6ede02270b33f4a7058ec4e31eabd688ca4c75037ed4a7f92470a42a271
723071d4e54bdfd50d7ca47b02f67ea70aa59ddffbab36d8dbc5eadfd4b799be
7cc4e45a2448e81c638cf0a84c269d7d926135647f95d318279429587d462e9a
ab79b2c6cca235d1b6a2bfdc550a15497c03d193d622feaa2e48c3006ef7c0b8
af27bd7180ad756460e32f2ae56db7cbdc8a79e73a36b261a96f803e5b051fd5
b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835
f749fcdcc06750ec8e3839b52ddd13e9a2023673da83aefe1c13439e1351fab5
+ 135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/200824-3hhgyykmxa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Windows security modification
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/50249/
  
URLhaus
https://urlhaus.abuse.ch/url/439591/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/439791/

Comments