MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c
SHA3-384 hash: 6742185ca887aa98c68c87094f36879a74602c881e8b12e9a430b00d6373b598aee8a9cc3704b288c727971272a1bd55
SHA1 hash: 1e2873e00a605858f471cca7bda13bbd36263926
MD5 hash: 80c4c04b1d11e0f6e84643d74ed31b1c
humanhash: romeo-mike-maine-floor
File name:MV LILA TOKYO - VESSEL DETAILS.exe
Download: download sample
File size:493'056 bytes
First seen:2022-01-21 14:28:34 UTC
Last seen:2022-01-21 17:13:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:8ajhMVOzguHumL5iXiZqFm5raRsxn85MMBh+j8c6GZQY9fxU4iYaL+J7eUd6:ZiVO5Hx55raRsB8PXFaJZibW4
Threatray 2'031 similar samples on MalwareBazaar
TLSH T15BA45F1C2E310772ED7E90309C720AE4BB671B436280699717DB55C68B8FC67EE4ADD8
File icon (PE):PE icon
dhash icon a9a9ada361869903 (32 x RemcosRAT, 2 x QuasarRAT, 2 x Expiro)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221493/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.22589.7709.12019.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Sending an HTTP GET request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe obfuscated packed stealer
Link:
https://www.filescan.io/uploads/61eac337d32385db63158674/reports/d6334775-c656-49ec-bc4e-119364d91106/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c27ad06d-7e2a-42bb-96f0-000fcd1e947c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/925254
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary or sample is protected by dotNetProtector
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557735 Sample: MV LILA TOKYO - VESSEL DETA... Startdate: 21/01/2022 Architecture: WINDOWS Score: 96 52 Antivirus / Scanner detection for submitted sample 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Machine Learning detection for sample 2->56 58 2 other signatures 2->58 7 dde33.exe 2 2->7         started        10 MV LILA TOKYO - VESSEL DETAILS.exe 3 2->10         started        process3 signatures4 62 Antivirus detection for dropped file 7->62 64 Multi AV Scanner detection for dropped file 7->64 66 Machine Learning detection for dropped file 7->66 12 WerFault.exe 3 10 7->12         started        15 cmd.exe 1 7->15         started        17 cmd.exe 1 7->17         started        28 2 other processes 7->28 68 Injects a PE file into a foreign processes 10->68 19 cmd.exe 3 10->19         started        21 cmd.exe 2 10->21         started        24 cmd.exe 1 10->24         started        26 MV LILA TOKYO - VESSEL DETAILS.exe 10->26         started        process5 file6 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->46 dropped 30 conhost.exe 15->30         started        32 schtasks.exe 1 15->32         started        34 conhost.exe 17->34         started        48 C:\Users\user\AppData\Roaming\...\dde33.exe, PE32 19->48 dropped 50 C:\Users\user\...\dde33.exe:Zone.Identifier, ASCII 19->50 dropped 36 conhost.exe 19->36         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 21->60 38 conhost.exe 21->38         started        40 conhost.exe 24->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 28->44         started        signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 06:47:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
38 of 43 (88.37%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0b1396805e736275f16550f3ecc5361cfcccc468094b4ea910ded8eaf430a5b3
0dba6e7545b9ba21429bc5524757ca9f185494a2ef31bfe5bc9998c4563c0c2d
1b3a7ad1a4ae68d5b36ff60cbaee121381fb4a7a75dbe9eb0edcb93bcec5cf5a
7aef9ffe1f507a49defe482e631951d596726ba7a3d0a2f554679518abab5c8f
800f0b3cb78a8f0934c09d710a8e42286275cbaa10dbdb1841669f6280f0ab51
91b5e06c42d452a5c3d137c1556a341ec18163395ffff7ace946633f86ac637f
9e1565a4e0af404cf7eb096a60ddb70b5d5adf849312ea6f76c6374841759166
f127b8885114903eac8725e5477e22ec9b73f3190aad5acf248af5871f02bd81
f5cb1fde3016b1c8c6927d64cca4a84f81987b50382c19b42c4e1b5f137360f2
+ 2'021 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220121-rtlk4aaafr/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d4f91aec8f9c84b4e67e77f18440a8183409f08404a766e7a87ab8ea0f87e8bf
MD5 hash:
26b4495feab6f178662c1b6a81551feb
SHA1 hash:
335e88822a94a2c00a21960fb6430185d4a5e510
Link:
https://www.unpac.me/results/5551416f-d103-4407-b8b0-d4466cf6f48b/
SH256 hash:
a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c
MD5 hash:
80c4c04b1d11e0f6e84643d74ed31b1c
SHA1 hash:
1e2873e00a605858f471cca7bda13bbd36263926
Link:
https://www.unpac.me/results/5551416f-d103-4407-b8b0-d4466cf6f48b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a87c3901341ded9488bfa9f84856a3518fbbaec4d69a72e13c0d5e481b7e373c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Dotfuscator
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Dotfuscator
Rule name:INDICATOR_EXE_Packed_dotNetProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with dotNetProtector
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221493/

Comments