MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba
SHA3-384 hash: d899b42176f36bb2e0087167988dbba2ae7699d074c5bf6b2ada306f35bf061ba20355f909fa6de118138f2ed5ff55ca
SHA1 hash: df7027a8614c971a84b4dfcd2c8574e4307f3dba
MD5 hash: 56a2b99de187aab1871c30090a128320
humanhash: enemy-lion-robin-ten
File name:20985678875456.exe
Download: download sample
File size:1'327'104 bytes
First seen:2021-10-08 17:53:51 UTC
Last seen:2021-10-08 19:13:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:lMG06DSdx/H/KYzEj4WH6dcWWwo2CI7HyYgk4KHD+CVC0+8D:6mSr/TQ1WWwoiHp0Kj+CVlzD
Threatray 15 similar samples on MalwareBazaar
TLSH T1625533E069D04638EB6F16B974CD65B08394BAA00CCC7A6D9CD7E74FD61520DE8B2E07
File icon (PE):PE icon
dhash icon 5aba62ea0282e272 (1 x SnakeKeylogger)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
20985678875456.exe
Verdict:
Suspicious activity
Analysis date:
2021-10-08 17:56:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ac6c9b9-a75c-471e-9525-bc211da3885e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196225/
Detection(s):
SecuriteInfo.com.Variant.Bulz.792377.4145.3452.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616085c3e3d213d202bbfe36/reports/9990d8d5-a48a-44bd-9479-7944e477161e/overview
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/867243
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499671 Sample: 20985678875456.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 38 .NET source code contains method to dynamically call methods (often used by packers) 2->38 40 .NET source code references suspicious native API functions 2->40 42 Machine Learning detection for sample 2->42 44 3 other signatures 2->44 8 20985678875456.exe 3 7 2->8         started        process3 file4 24 C:\Users\user\...\trabajos sales 2.0.exe, PE32 8->24 dropped 26 C:\Users\user\AppData\...\20985678875456.exe, PE32 8->26 dropped 28 C:\...\trabajos sales 2.0.exe:Zone.Identifier, ASCII 8->28 dropped 30 3 other malicious files 8->30 dropped 46 Creates an undocumented autostart registry key 8->46 48 Writes to foreign memory regions 8->48 50 Allocates memory in foreign processes 8->50 52 Injects a PE file into a foreign processes 8->52 12 20985678875456.exe 15 2 8->12         started        16 20985678875456.exe 8->16         started        18 wscript.exe 1 8->18         started        signatures5 process6 dnsIp7 32 checkip.dyndns.org 12->32 34 checkip.dyndns.com 216.146.43.71, 49811, 49812, 80 DYNDNSUS United States 12->34 36 2 other IPs or domains 12->36 54 Tries to steal Mail credentials (via file access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 May check the online IP address of the machine 16->60 62 Machine Learning detection for dropped file 16->62 64 Wscript starts Powershell (via cmd or directly) 18->64 20 powershell.exe 26 18->20         started        signatures8 process9 process10 22 conhost.exe 20->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 16:21:51 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=usx5ujf5nrfvast77hb4wg2u6hwlrgnyxqjwqcn7aofp4qnejw5a._file
Verdict:
malicious
Similar samples:
0e16268b5f26f1f7314bb1b21bb246b99ee4fd6e000818edc94f7efa67964a4d
2cfa6e09ec6ebc184774238d6a497df43c5eed8c2c03e86e830400c8b7fc4ced
3023261456361410fc8e6f5ec4c22d0c2aa7d02fd62148de20819945e99a86a3
41f206a7e8b3c15642e6cfad479ae3f0972b82e57ec46a5ffd31e51954a81c6c
437b54089000ca7236fda3977ae22b75409c8414331c76e3d55029290f60f57f
5b8f3956ac2be07fe773d9c294e5cbad0968e7fa99c5f6fd5d184caa512c5106
d6bd9bd06afd6e3464c43547fe5c41de9702c44cc21b765cf8fb41eb365b37dd
d9f4e53838a43981dee675993924484cd508c1d6fe40d619694e313e9d1e6569
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/211008-wgwyhsegb3/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
08356f41b6178787a2d8cff06078ed6ed8772c8f2262047d8910cb143039a343
MD5 hash:
8a076d80705afa25247a99da41e3ef71
SHA1 hash:
e56fe4c03e05bf128b6c49d285111749b1016345
Link:
https://www.unpac.me/results/86fc655d-1d01-4292-bba8-8e1e879fe400/
SH256 hash:
faca8c6fd15179cacd8039f2dac20f8f18d5e5d87f73b03edd0243694548d8b2
MD5 hash:
6e4efffba0283d9b12cf4b3fd8a2b06b
SHA1 hash:
e53272566fcde10925173d7a531c9f5ed40a428c
Link:
https://www.unpac.me/results/86fc655d-1d01-4292-bba8-8e1e879fe400/
SH256 hash:
0c98e6654e3b4a9ee523de35cc47a2c159625bdaa9694be6a94f856354a8ee81
MD5 hash:
1e40a396de3c822ae4a6e1f38bf9e641
SHA1 hash:
b92fe9f8e4d8e8c280ea0d757906df472bc6b750
Link:
https://www.unpac.me/results/86fc655d-1d01-4292-bba8-8e1e879fe400/
SH256 hash:
e838d7b8cb073939bf241ed8b5892aac0c7cf98a2c78dfb546deadfe3e24bc46
MD5 hash:
a4ffd9a01426029c297dbb4b6316821e
SHA1 hash:
4c10add4ee80a1b3a10d06655407bea2e47133b1
Link:
https://www.unpac.me/results/86fc655d-1d01-4292-bba8-8e1e879fe400/
SH256 hash:
a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba
MD5 hash:
56a2b99de187aab1871c30090a128320
SHA1 hash:
df7027a8614c971a84b4dfcd2c8574e4307f3dba
Link:
https://www.unpac.me/results/86fc655d-1d01-4292-bba8-8e1e879fe400/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a4afda24bd6c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4afda24bd6c4b504a7ff9c3cb1b54f1ecb899b8bc136809bf038afe41a44dba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/196225/

Comments