MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b
SHA3-384 hash: 981d78b8e1e6eaadd130e024af05d3389a33e303cf62c04257db7cf0f2527ef91e2f8d9fabc18e10bd0d21c4f0661bbb
SHA1 hash: 035927ebcd840c9dab31518f4717dda817b3195b
MD5 hash: 183098420cddac87669dd23a5afc8c96
humanhash: asparagus-nebraska-mike-seventeen
File name:204,398USD_debit-note.exe
Download: download sample
File size:509'952 bytes
First seen:2022-04-21 07:31:08 UTC
Last seen:2022-04-21 09:05:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:kl9NmGChqkTzkJTduNxbqKJasHcEjBgLQ3ktuDfO91kO2aSjwW3Mrqw1y2ZkmP0a:u9CzE4N8080k4gF2aVW8d/km
Threatray 856 similar samples on MalwareBazaar
TLSH T15AB4028A31985732E4FF4BFAA671021647756603F163E70C4E9062DF68627C4EA217FB
TrID 49.6% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
21.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.9% (.SCR) Windows screen saver (13101/52/3)
7.1% (.EXE) Win64 Executable (generic) (10523/12/4)
4.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon 31f0d4a2d4c87276 (13 x AgentTesla, 9 x SnakeKeylogger, 6 x Formbook)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
207
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265339/
Detection(s):
SecuriteInfo.com.Artemis183098420CDD.22738.24305.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed powershell
Link:
https://www.filescan.io/uploads/62610876eab80a7a6c51e25b/reports/fdf9425b-b24c-412d-9d56-113c83c293b0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8364d4d0-55fe-4685-a59b-bc05fd56f4c5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/980453
Signature
Adds a directory exclusion to Windows Defender
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612939 Sample: 204,398USD_debit-note.exe Startdate: 21/04/2022 Architecture: WINDOWS Score: 72 18 Malicious sample detected (through community Yara rule) 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected AntiVM3 2->22 24 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->24 7 204,398USD_debit-note.exe 3 2->7         started        process3 signatures4 26 Adds a directory exclusion to Windows Defender 7->26 10 powershell.exe 25 7->10         started        12 WerFault.exe 23 9 7->12         started        14 WerFault.exe 7->14         started        process5 process6 16 conhost.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-21 03:54:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uplr45urbyhimtziiezzcuxyxetbunoci7k2e4izedzezv7lomfq._file
Verdict:
malicious
Similar samples:
252237cef8d55aeaea58069593f2d63477aa688c8102fe76d54380310f0a6c87
83c7f69bdfc1a570bf2a66c6bef357f81375fc5e5975006a96fc2831cb2cd512
900fd05c173389415366e0b8eab3f9eb60deb3a559ae87047e5c4407712ff90f
9261c3b33dabc7bbf1fa5bb22c2ee4cc718f511779c3c43701756a9e8d8a8920
b9731b8f02b887704416062bb94743cca680d5f9930adbb2481e36b94f63b3c4
c9fdeaa3380aaa5dfaaea8c12fef4964a84e08d76eb376fb02c1d9e8ac3cdc32
f69a14273762b790e5f502a486144ebb282792e182a8959c50200b82492ea91a
+ 846 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220421-jcy6vsdfh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Checks computer location settings
Unpacked files
SH256 hash:
ef058d0a23b36683b62d8331a6c43c2356bede56fdbe3587ba5b6889f344a67e
MD5 hash:
b41d180b984cffb701dc35d732f53494
SHA1 hash:
86a8c95cfabccfb57ca2e4520122d165776dee20
Link:
https://www.unpac.me/results/24449761-36d8-4919-8a76-7dd100dcf2ad/
SH256 hash:
0082231f460315f3529c2777cd175639b61567f434b81f1352b6d6c92ea219ac
MD5 hash:
698897c488f1fbd970504227332bf674
SHA1 hash:
6811628787ef298e848f7c24538ec97448f5ae8f
Link:
https://www.unpac.me/results/24449761-36d8-4919-8a76-7dd100dcf2ad/
SH256 hash:
a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b
MD5 hash:
183098420cddac87669dd23a5afc8c96
SHA1 hash:
035927ebcd840c9dab31518f4717dda817b3195b
Link:
https://www.unpac.me/results/24449761-36d8-4919-8a76-7dd100dcf2ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe a3d71e76910e0e864f2841339152f8b9261a35c247d5a2711920f24cd7eb730b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265339/

Comments