MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2
SHA3-384 hash: aa1e9dc50fba2e34da4eda48b59032041583424aa4bee615697aa1b9a833c5026a75b946baf1c9f0749a5b7d0c264bcb
SHA1 hash: 7f24f43e0de601467c5dcc6b654623dbe8151e49
MD5 hash: 418d67bdccc7c74875e0bc6c222a556e
humanhash: diet-sodium-item-illinois
File name:418d67bdccc7c74875e0bc6c222a556e.exe
Download: download sample
File size:1'271'528 bytes
First seen:2021-12-06 12:59:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:svwDzmEgVTKYTx83lFXvVd1emdO2DDAQ/4/Ksn:vPmnpRTu3HXNd3dO2tTA
Threatray 585 similar samples on MalwareBazaar
TLSH T157457C2DA7F1BD2EC2A61A37C01AC45546E19B441763E36AFABF06932E4F3B40D5E1C4
Reporter abuse_ch
Tags:exe signed

Code Signing Certificate

Organisation:Plainsongs
Issuer:Plainsongs
Algorithm:sha1WithRSAEncryption
Valid from:2021-11-28T21:00:00Z
Valid to:2031-12-05T21:00:00Z
Serial number: 5f0e1554ce18f7ab4184089e248e11d4
Thumbprint Algorithm:SHA256
Thumbprint: 1b53b607e5fa713553d50df90a38568f691f9cd5588c5b1062681084e5fedcfd
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
418d67bdccc7c74875e0bc6c222a556e.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-06 23:19:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6431a762-247c-4d81-893a-8c6a66a20352

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211780/
Detection(s):
SecuriteInfo.com.Variant.Lazy.18546.27915.10928.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
DNS request
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/61ae091947ed217c013362d1/reports/8388086b-5c78-423f-ae32-f3b74a44b404/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ad32dc79-6842-4b1b-b199-da3af73c0085
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/902262
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-06 10:48:19 UTC
File Type:
PE (.Net Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
51bda9cff13b4515a21d412a59a51746594613eed7fe0cb21f1ee8037baabf66
963a73a00d5a09138b610d7a2a8cca387bced6b67c918a7708fb74bd88ac0c5e
98d93834f17d6f7bc2c5251740d38b8ba569c03b84e6f0124c2e519b9c61e40c
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e
daa44b180ded811edeb606767992fffcace2ed07dc7e37413fcb24c5edc9fec7
fde8fe5dce7787acbb104ae4d1496bdb7d18d21f6e66ce0fc59c055d20f68a61
+ 575 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211206-p73enaghg6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Downloads MZ/PE file
Unpacked files
SH256 hash:
dc9b7a364fefd578a9a600c5505f9bad6589d35b131be86af8ed7b93a5ad7a31
MD5 hash:
133327a14e19fce0a23c3d64cd4f313b
SHA1 hash:
a9c9429f09fd4a56b1cf89aa789229a65c10a196
Link:
https://www.unpac.me/results/d95c517d-0f83-4770-99f7-6ba762cc42ed/
SH256 hash:
a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2
MD5 hash:
418d67bdccc7c74875e0bc6c222a556e
SHA1 hash:
7f24f43e0de601467c5dcc6b654623dbe8151e49
Link:
https://www.unpac.me/results/d95c517d-0f83-4770-99f7-6ba762cc42ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.32
Link:
https://yomi.yoroi.company/submissions/a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a5a8bd220d25a52cb97b7aaeffca5ab4c8d47f5d53302411f10348f0fa1a6aa2

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/211780/
  
URLhaus
https://urlhaus.abuse.ch/url/1859369/
  
Delivery method
Distributed via web download

Comments