MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4
SHA3-384 hash: 9b471cb7d0fd8807bc70ec7986205b98525d90c373a8dfb66ccef6c67a649557b83ec5813a49f83c25522eae2794ce03
SHA1 hash: a790794ddf994c328ef5e2f62186342bff07f84b
MD5 hash: b33ef10f1e5378ff91bde7cafef9465a
humanhash: double-mississippi-ceiling-river
File name:CM35435350000000000000353_PONUDHA.exe
Download: download sample
File size:1'394'176 bytes
First seen:2023-04-21 12:49:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:wgNB6fyMl7sBiN2jRgXL99KQJfikLOvNHgv1+KpYmRbEnTxmTMFIlf4R0s8FLRHY:k1L9/xz0Q07NQKkDeroiQiMxDKvj
Threatray 1'333 similar samples on MalwareBazaar
TLSH T15B555B343DEA501AF173EFB95BD879E6DA6FB6333B06A42D109103864723A41DEC153A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter malwarelabnet
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
262
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CM35435350000000000000353_PONUDHA.exe
Verdict:
Malicious activity
Analysis date:
2023-04-21 12:52:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da977496-7a7f-4b66-abc4-c66d6343a627

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383946/
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.4774.15726.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
phishing
Link:
https://www.filescan.io/uploads/6442867a7992ccda134f09e3/reports/c61f42de-c27a-4900-ac03-072cf9ddab7d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/72764d51-4a4f-4ce3-871e-f5df3c07a379
Result
Threat name:
n/a
Detection:
suspicious
Classification:
n/a
Score:
25 / 100
Link:
https://www.joesandbox.com/analysis/1218616
Signature
.NET source code contains very large strings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 851564 Sample: CM35435350000000000000353_P... Startdate: 21/04/2023 Architecture: WINDOWS Score: 25 16 .NET source code contains very large strings 2->16 6 CM35435350000000000000353_PONUDHA.exe 3 2->6         started        process3 process4 8 AddInUtil.exe 6->8         started        10 vbc.exe 6->10         started        12 ilasm.exe 6->12         started        14 28 other processes 6->14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2023-04-21 12:33:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
14
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uifcebzfiroikh6d4kxywn6dmo6qyh2p2mfyjgj766udq4trk22a._file
Verdict:
malicious
Similar samples:
301ec203016376d674b6b54709f7308738f16a7d841ebef9614139c3efd64388
4ec081f16baabe564b1038b86fe09f8b6fb3ef70a83abb23141e423fb36a42ec
4f1216da1891780979cac73e46c30466795250223c75ee73d0375898b47b042f
68e5677a864f229ef02194052ef540cd7b80695b10e5493edfc0d51a8d87874a
7291ec3c376ef815f0e1f30935478f84658457be2d9f8fcbc54a1126197e70e1
8d4e8edf683d42f1f5287ae5d25f57d93285fd6b32f2198a1a2545cd17b05a1e
901112dd590ebf7bb0314c090a66522540e27d7ae769f2030ac47e3046f5d313
b453bcbc41e72b625a5d0eb322ed817d367e63e257e0045468addc548c4b54ff
c6af80e6ed0b9f93b7e14e956dac74d7affe71097f9ab14786e8fdd0469f4d25
+ 1'323 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230421-p2xbfsfe94/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4
MD5 hash:
b33ef10f1e5378ff91bde7cafef9465a
SHA1 hash:
a790794ddf994c328ef5e2f62186342bff07f84b
Link:
https://www.unpac.me/results/d1d4e3d8-4f90-4d58-b76a-15035598628b/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a20a22072544/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a20a220725445c851fc3e2af8b37c363bd0c1f4fd30b84993ff7a838727156b4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/383946/

Comments