MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211
SHA3-384 hash: a2e98c9742181eb98fe038db1d126c015eb256985092bc02f9f455b1b9150368907076c1b9fa0609d969a6c50f4b0c87
SHA1 hash: 656995277eb1d104fda067fb5947839c5ee8a91b
MD5 hash: 76acdcebdfce9614002c56f57f09ecb9
humanhash: mike-football-north-colorado
File name:aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211
Download: download sample
File size:1'536'000 bytes
First seen:2022-07-13 06:30:08 UTC
Last seen:2022-07-15 03:00:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:nx0vtufKPsjpkbPwdnITPkGr9HtTwkpXDvASps9ojoU6ISv3OvSJ9QFQfrXu:nm7hzwdcsGttTwsUA0cSPaQf
Threatray 100 similar samples on MalwareBazaar
TLSH T1AB65AE62F9C2C172FDD515BA83FE2B371F394506A32984E776C419A09AA10E275BF343
TrID 62.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
23.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
4.1% (.SCR) Windows screen saver (13101/52/3)
3.3% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286758/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop20.6384.26956.30179.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd.exe greyware packed snake
Link:
https://www.filescan.io/uploads/62ce66e4ec671b846f8fc662/reports/56d49260-1552-4710-b64b-583af9455da9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4476cbcb-e182-409e-aeb8-c4bc7bb0b6f9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1029895
Signature
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 18:11:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 25 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vl7pmoj2nkfmwka4i5z6yixpnlb7gsg56spkx6tk36g2fh3mkiiq._file
Verdict:
malicious
Similar samples:
079871499bdc91b180fcd73f10d7db76fcabbbdd29017ad0f8fe82f5c18b39a8
0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac
1254eb8dd2f4b697e0bad62b9accdd5e9553e920dd131a450d742ba80844899c
1f68e889d3c4c7f8049bad4abd042fcd05e84ac96bf23d86e2e95aa8fe346593
3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676
5b682f3038aea6c3db35ba85a82712a1920adddd5587777742ca711dcd729757
8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23
9ed9dd31627375c35c9df58ab9ec01295b57903882b1154ba7b72ecfa18b3ce3
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846
+ 90 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/220713-g92l5sdhg7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Checks computer location settings
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a4b46fb3ce201e7d65fc132d260e233254b46df023b9f62107515c91688d17e9
MD5 hash:
86b53f650ba373769675c3d53dddb7a7
SHA1 hash:
892f7100acdcdad5c0b8622b47aa6894390b0d0f
Link:
https://www.unpac.me/results/d8974dde-c48b-457b-a965-99c07272a5ad/
SH256 hash:
13e0d3688fcf9c933db95f51ccabe1cf9f5797e9ef296ad61492ff20cee1b0c3
MD5 hash:
d97cb6aca387dc75fb27e58d70cff671
SHA1 hash:
0896de844bf89cb35a23e765de2deeb76910b1e7
Link:
https://www.unpac.me/results/d8974dde-c48b-457b-a965-99c07272a5ad/
SH256 hash:
aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211
MD5 hash:
76acdcebdfce9614002c56f57f09ecb9
SHA1 hash:
656995277eb1d104fda067fb5947839c5ee8a91b
Link:
https://www.unpac.me/results/d8974dde-c48b-457b-a965-99c07272a5ad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe aafef6393a6a8acb281c4773ec22ef6ac3f348ddf49eabfa6adf8da29f6c5211

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2203989/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286758/

Comments