MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
SHA3-384 hash: da8c135d58a61de91a82eb4e25de28c78d599d48562a42e7a1f4994a0c721e3a11b8198ecb1b961e457f19bd0f3cf9f9
SHA1 hash: fe7f41fe9cf3b25f507962613c1637c89dc9b88d
MD5 hash: d451fb6911a049381491c7571862bd9d
humanhash: zulu-snake-tennessee-utah
File name:MT103 Halkbank,pdf.exe
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'178'624 bytes
First seen:2023-03-16 06:40:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:IwKJTNYfcJD5a+x+NUeW/rN1Ei1HER1hI5Pg4r2PtQhL:FKFUg6NnWZ1EmHjws
Threatray 174 similar samples on MalwareBazaar
TLSH T17E45128C616B5B56CEAC33FBD46264548372A8A18321E32E6DC5A4F31FF1BD4C805D6B
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon f8ec96b2b296ccf0 (8 x AgentTesla, 4 x SnakeKeylogger, 3 x Formbook)
Reporter cocaman
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
226
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MT103 Halkbank,pdf.exe
Verdict:
Malicious activity
Analysis date:
2023-03-16 06:41:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc69907f-9d4f-4bfa-99ca-377ddaf8acb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/374702/
Detection(s):
Sanesecurity.Rogue.0hr.20230315-1636.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
gorgon packed
Link:
https://www.filescan.io/uploads/6412ba01c3d52e36200e3b0b/reports/51b529e5-3ba9-456a-a77d-95cc9e7b12af/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb34b583-53e9-432b-9d3b-04ec6ca03205
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1194724
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses the Telegram API (likely for C&C communication)
Writes or reads registry keys via WMI
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-15 05:13:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vdru6cx2tv4o5bpk5i7rjuln3ema2sw4cdmc3pmfooknlyvt3hla._file
Verdict:
malicious
Similar samples:
0323277770dc3d499264c4dcac77e3f18164ae8d2409f1d503602b0c8b966ba6
DarkCloud
353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
DarkCloud
483da9e4ba41764c76b866df9ded1a18ca671a589cd64ee0ad52c5f66da08587
DarkCloud
5632ae27980cf1407b52fe4a9da06e30cec16937a75971b4df6d875c14278c8d
DarkCloud
5d2841d221d5f4b73591f9972ece12a9382fb40146caa6e8691eba12ae138049
DarkCloud
62d89b5997bfef1759d735155650027c0c6ffbc930fa5af742c4f481e884800b
DarkCloud
659d786131454bee09b1cf35abfbec971dd4d3bed16b34805332be4ddd33202b
DarkCloud
912d987b402f4944ee141f45a4ae720416e7f03ec95cd19490d897aa68baa211
DarkCloud
c7ea53e57251629a3485c588848a8f99362035170807b2aa95355be6fb8055f4
DarkCloud
cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
DarkCloud
+ 164 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230316-hfr2aahd95/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
SH256 hash:
44c383b1589ca66db1590050e291a9c0eb759bdf18223ca2cb5e16d1a7b43b4e
MD5 hash:
ef0378975497af5cc20adb24ab0d3332
SHA1 hash:
4efe499136df6bc0ec753fc5daadcd77ec5959f4
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
SH256 hash:
735d18b5b5ba915feca1cfe7e52597bf81c420df3b4f3874f29f574ade6cb052
MD5 hash:
90cb82f226bc417bb42c6b0896bee7f3
SHA1 hash:
c39f8e7c59e85d5f299897b726e3a02d13aa92c3
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
SH256 hash:
bee5e3194efd62b6c2c52d27670881c334fa9fac883d0ccb23261e6b9554da5f
MD5 hash:
19721dba33bc54326ebe1517d4e289ea
SHA1 hash:
b9e1d5e9a9e80fb86d97d25c6d1e236d3caf0439
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
SH256 hash:
d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37
MD5 hash:
0fb6061f7d37424fb9e6d0e76b019c19
SHA1 hash:
98a64bf7b459f032d6ec5793003bf61b5ae1dd74
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
Parent samples :
495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a
SH256 hash:
f50969dbd06c1065aa2dece50a31eeb959dad86262bd22a36a9a37e6b60ed39e
MD5 hash:
51259565e516fe3df2289daf1b41e15c
SHA1 hash:
6550fcb33954f054ad4c5c43103a31d19007b599
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
SH256 hash:
a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
MD5 hash:
d451fb6911a049381491c7571862bd9d
SHA1 hash:
fe7f41fe9cf3b25f507962613c1637c89dc9b88d
Link:
https://www.unpac.me/results/ed1978ae-2666-4a4a-aafd-06806f3ec081/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

DarkCloud

7z 662acbf7478f5415e9675d9c74e26aa4e90d839e43a8fc73de624a8a10d39e8b

DarkCloud

Executable exe a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 662acbf7478f5415e9675d9c74e26aa4e90d839e43a8fc73de624a8a10d39e8b
Cape
Cape
https://www.capesandbox.com/analysis/374702/
  
Dropped by
MD5 af9609627fc60c79b87d963148192513

Comments