MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a
SHA3-384 hash: a05f830de6b9e248d24833c0c0206cedc4db29e79a0bc655a3900dec38b062ae67e86e891909c5ac1a45cd99550ac53f
SHA1 hash: c7bd89e65731d76165c875af2be30f887025aeef
MD5 hash: 0f8052da24db6d71323bc66e03e9ae2d
humanhash: undress-december-delta-mango
File name:SecuriteInfo.com.Trojan.PackedNET.535.15264.1645
Download: download sample
File size:670'208 bytes
First seen:2021-02-12 14:59:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0eTDisA6yNVMTgP3xHIbjzNjlC0OBzX2Dw8k7OdourBOBO:HTDifUyyjzdU0OBzX2E8kNy
Threatray 31 similar samples on MalwareBazaar
TLSH F9E4B22222B4D656E7E90EF48C305D580EB36C0B6A15A37BF85471CC2CFD963EF11A96
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.PackedNET.535.15264.1645
Verdict:
Malicious activity
Analysis date:
2021-02-12 15:09:15 UTC
Tags:
loader
Link:
https://app.any.run/tasks/eb62a4a0-d2c8-4d91-bd30-f9c8367f423d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116936/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.535.15264.1645.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/606866
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Disables security and backup related services
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Kill multiple process
Sigma detected: Stop multiple services
Spreads via windows shares (copies files to share folders)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352472 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 12/02/2021 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for domain / URL 2->77 79 Antivirus detection for dropped file 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 9 other signatures 2->83 10 SecuriteInfo.com.Trojan.PackedNET.535.15264.exe 15 5 2->10         started        process3 dnsIp4 71 176.111.174.14, 49714, 49721, 80 WILWAWPL Russian Federation 10->71 57 C:\Users\user\AppData\Local\TempR.exe, PE32+ 10->57 dropped 59 SecuriteInfo.com.T...T.535.15264.exe.log, ASCII 10->59 dropped 87 Drops PE files to the document folder of the user 10->87 89 Drops PE files to the user root directory 10->89 91 Drops PE files to the startup folder 10->91 93 Injects a PE file into a foreign processes 10->93 15 SecuriteInfo.com.Trojan.PackedNET.535.15264.exe 501 10->15         started        19 ER.exe 8 10->19         started        file5 signatures6 process7 file8 61 C:\Users\user\HOW TO BACK YOUR FILES.exe, PE32 15->61 dropped 63 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 15->63 dropped 65 C:\Users\user\...\HOW TO BACK YOUR FILES.exe, PE32 15->65 dropped 69 780 other files (10 malicious) 15->69 dropped 75 Spreads via windows shares (copies files to share folders) 15->75 67 C:\Users\user\AppData\Local\Temp\...\6DB2.bat, ASCII 19->67 dropped 21 cmd.exe 1 19->21         started        signatures9 process10 signatures11 85 Disables security and backup related services 21->85 24 cmd.exe 1 21->24         started        26 cmd.exe 1 21->26         started        28 cmd.exe 1 21->28         started        30 7 other processes 21->30 process12 dnsIp13 33 net.exe 1 24->33         started        35 net.exe 24->35         started        37 conhost.exe 24->37         started        39 taskkill.exe 1 26->39         started        41 conhost.exe 26->41         started        45 2 other processes 26->45 47 4 other processes 28->47 73 3.0.0.0 AMAZON-02US United States 30->73 43 net.exe 30->43         started        49 8 other processes 30->49 process14 process15 51 net1.exe 1 33->51         started        53 net1.exe 35->53         started        55 net1.exe 43->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-10 04:44:35 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
052a57afa8493f1396d73ab451c6df0135cf674529a26f692110b6ddb91c2672
08e4ff0c3fd04510841e9f4e55ba0b3d2681d8f4c3405fd83dd9bbc4c2fa01d9
49a326ef65fb6a7f8e778fb2104aa2708e38601348ddbc04e8cbd9117af0458a
539819840ab5f00373a1885399025e8b93a1f4f0b73d9f0397cdc7ac2560a459
7dda641f8a033f4428d6dc5a37b7c2e141b739683187d6f6a29c906693e85d36
8577f2b2527925efb4a0a024cecaf3b41ef3b7d9fd5da314c31b8e4fe665df03
9c8d8fabab405d77cff82b7d3e35904ca5ba5ae01f30755ba058a8505de8dcd5
a4ebee17a41b4d7d3d848c69d99eb85858dbe662c6c5d47884fb7fda72cce0f7
cdc0186e900c4d463ca18a258e1749e385ce612506f5cc3478c620873fb3e814
e889793952ee54d21fb326012e67ecd09b193b38ec65e473eb91a2b02820dbc5
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/210212-p9q28vh7pe/
Behaviour
Discovers systems in the same network
Kills process with taskkill
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Modifies service settings
Stops running service(s)
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
2b2bcf851c2b87033fd24c890c2a1de3642564f7cec7282982d96b8280baa849
MD5 hash:
befb0470c71d676cc891cba16088975d
SHA1 hash:
5b7143f97d1d656fd1cacf70949048c1951b639a
Link:
https://www.unpac.me/results/a93a39fc-e25c-49fe-9e9c-3b3fa9365a82/
SH256 hash:
a55816fb57a170ee6031b1554cd90257a22132716607965c4cd66332f189fc01
MD5 hash:
fa9b1eae8b05d80bc6131e560c89bb78
SHA1 hash:
70f6a8c823a9e4a3715f4f0835cca375ca75a35f
Link:
https://www.unpac.me/results/a93a39fc-e25c-49fe-9e9c-3b3fa9365a82/
SH256 hash:
365c2735a60940b1f48932901224a7c74850db73077e5e2e299d984d2d9a94a0
MD5 hash:
7eae062ab401915b920d0cadb6f44b3a
SHA1 hash:
cc0f67b69ac9ff7225da8e5f63e79c4f9fbe1e12
Link:
https://www.unpac.me/results/a93a39fc-e25c-49fe-9e9c-3b3fa9365a82/
SH256 hash:
3d3b9d2391e5597e0e48a36e6d931ee0460fd7dfc2331d4445d70e75b6ef7a0d
MD5 hash:
3384bd898ad28dd00ad29d12978a12d8
SHA1 hash:
bde359dfd35eda0400b9287254661595c7fa6b67
Link:
https://www.unpac.me/results/a93a39fc-e25c-49fe-9e9c-3b3fa9365a82/
SH256 hash:
a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a
MD5 hash:
0f8052da24db6d71323bc66e03e9ae2d
SHA1 hash:
c7bd89e65731d76165c875af2be30f887025aeef
Link:
https://www.unpac.me/results/a93a39fc-e25c-49fe-9e9c-3b3fa9365a82/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a03c3a2ce5f96b1b367f3a751c36190516bce61c51f79c58e1e1ecff1f70e41a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/116936/
  
URLhaus
https://urlhaus.abuse.ch/url/1002464/
  
Delivery method
Distributed via web download

Comments