MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0
SHA3-384 hash: 1aa78ebf6d7e467703c64442b2f970959de76f588f333f765f82fc8e5179a7b22a36df086c9b4697b7f6f109d29df59b
SHA1 hash: 55fb3efc6d0949f42740505aff8f0e22b7ad5b6c
MD5 hash: 525961d4c5c9b810b51cd875f7ba031b
humanhash: kansas-stream-comet-steak
File name:RT9865430000.exe
Download: download sample
File size:696'320 bytes
First seen:2024-07-01 05:59:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:YYV6MorX7qzuC3QHO9FQVHPF51jgcmITjox6hKYFXtcbJUH4eLpFRQZevJftc:3BXu9HGaVHjoYZtcbiTLpFke4
Threatray 65 similar samples on MalwareBazaar
TLSH T148E422844AE49D76C0941776C43BAD109D6174BACEE43B58C2E9F22BF8723A3DC4752E
TrID 31.3% (.EXE) UPX compressed Win32 Executable (27066/9/6)
30.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
12.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Autoit-10032538-0
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6682462bbba6ccecd93a0bbdwin10vpnfull_triage
Tags:
Generic Malware
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Restart of the analyzed sample
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
AutoIt lolbin microsoft_visual_cc packed packed shell32 upx
Link:
https://www.filescan.io/uploads/668245e321581a9281a07b33/reports/e5e2a921-ac30-429b-b5cc-661a7ded9fd7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5197f7bf-c62e-4c10-9bdf-c80065273965
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1465043
Signature
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1465043 Sample: RT9865430000.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 60 48 Multi AV Scanner detection for submitted file 2->48 50 Binary is likely a compiled AutoIt script file 2->50 52 Machine Learning detection for sample 2->52 54 AI detected suspicious sample 2->54 14 RT9865430000.exe 4 2->14         started        process3 signatures4 70 Binary is likely a compiled AutoIt script file 14->70 17 RT9865430000.exe 2 14->17         started        process5 signatures6 46 Binary is likely a compiled AutoIt script file 17->46 20 RT9865430000.exe 2 17->20         started        process7 signatures8 58 Binary is likely a compiled AutoIt script file 20->58 23 RT9865430000.exe 2 20->23         started        process9 signatures10 62 Binary is likely a compiled AutoIt script file 23->62 26 RT9865430000.exe 2 23->26         started        process11 signatures12 66 Binary is likely a compiled AutoIt script file 26->66 29 RT9865430000.exe 2 26->29         started        process13 signatures14 68 Binary is likely a compiled AutoIt script file 29->68 32 RT9865430000.exe 2 29->32         started        process15 signatures16 44 Binary is likely a compiled AutoIt script file 32->44 35 RT9865430000.exe 2 32->35         started        process17 signatures18 56 Binary is likely a compiled AutoIt script file 35->56 38 RT9865430000.exe 2 35->38         started        process19 signatures20 60 Binary is likely a compiled AutoIt script file 38->60 41 RT9865430000.exe 2 38->41         started        process21 signatures22 64 Binary is likely a compiled AutoIt script file 41->64
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2024-06-28 16:24:42 UTC
File Type:
PE (Exe)
Extracted files:
52
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvtnl4oyzfrpxiwbaebcouiy3oqveupwpegyra43hjql7vjt7sya._file
Verdict:
malicious
Similar samples:
115a0abcf8bfe4d0320ecc08c9f0668f35dd796b7a74c6dfeb9d6fc7dc16d214
1a4e9865bdd049e0af9744de415b4bca7da2752ea21ce6c547f37f962b5e6aa9
1e978f9081a38530567bd778d25cebdf6297ce2f8c6d1fed644d75ac102fd567
386580202d90520223e28022e45cd09cfc117afa9772a66dbc254ab9cb5c78cb
927e8668d7e5b22d0d278cb66ecbb15a51420f2fc5299aaa324d43a7d04719a2
947d460ae566ba36eaffe66b728f4d951c88df3ed89468ce1eacae2cefac9b15
a49d396f7f272b32af4ef12abb52d5bc92ff2c97ca09b1d79436e13f1b9bf192
c1dc498ac1f64dcf63b7c536c5e95e2561054a3ae4e95df36975426032f680ac
eed16fcecd583ffe26a401d9db3a7128fdf5e9e76cc35087b626542c527a142a
f5da5b71aaee25c3769bfdbbd086208d0ff97ff923ad7903f813d3a81460013f
+ 55 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
upx
Link:
https://tria.ge/reports/240701-gqbavaxgmb/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
AutoIT Executable
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/08da2b0e-7e93-40fd-8fe7-26f7afd1beca
Unpacked files
SH256 hash:
7de9d50c5f6d54430bee2227e2fcd43dea95ca330cc62d020f8949e292ceca17
MD5 hash:
4fd4a8eca14ff15074e60f569ebe26f9
SHA1 hash:
1f38b46c0171bdbff9378f3c043aa578761ce20b
Link:
https://www.unpac.me/results/5409ef19-a4d4-4ad9-b858-9df14224f484/
SH256 hash:
003b468f895bbe8cd3a12176aeca5b63196ec337b7543d54712d3f1636073408
MD5 hash:
7040d062abee7c1429872b0c30e70fa9
SHA1 hash:
e5921e5b11934fa095d15018451ca3063ccf7fdd
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/5409ef19-a4d4-4ad9-b858-9df14224f484/
SH256 hash:
a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0
MD5 hash:
525961d4c5c9b810b51cd875f7ba031b
SHA1 hash:
55fb3efc6d0949f42740505aff8f0e22b7ad5b6c
Detections:
SUSP_Imphash_Mar23_3
Create hunting rule
Link:
https://www.unpac.me/results/5409ef19-a4d4-4ad9-b858-9df14224f484/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.39
Link:
https://yomi.yoroi.company/submissions/a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Imphash_Mar23_3
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Maximum 0,25% hits with search for 'imphash:x p:0' on Virustotal) = 99,75% hits
Reference:Internal Research
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe a566d5f1d8c962fba2c10102275118dba15251f6790d88839b3a60bfd533fcb0

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::GetAce
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN_BASE_APIUses Win Base APIKERNEL32.DLL::LoadLibraryA
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetUseConnectionW

Comments