MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818
SHA3-384 hash:	4f72b93b0273f29d065523c8ce0f0494014b4c392c1342dd8a61c14f1397a4109a57afb55cbe2320d8d7571582606407
SHA1 hash:	f281fcffe6c39fe9b549056c158f08b5739743d5
MD5 hash:	e7cf029a03cdea32cd9eee3dfeab1e02
humanhash:	undress-edward-nebraska-high
File name:	SandeLLo Checker.bin
Download:	download sample
File size:	14'218'240 bytes
First seen:	2022-06-20 17:16:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	393216:7LkyCp7kk/SmZd+PQBEH/jVK1MRfngl/ieTDjC:7Lr04k/SDQ+H/jWuglZX
Threatray	455 similar samples on MalwareBazaar
TLSH	T12DE63330336CC589F9CC0431A06B913A4B95BF6AFD61C70D3A7922917DF07A9464A7EB
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0ccd6ceeecc9224
Reporter	KdssSupport
Tags:	exe HawkEye

Intelligence

File Origin

# of uploads :

# of downloads :

313

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

hawkeye

ID:

File name:

SandeLLo Checker.exe

Verdict:

Malicious activity

Analysis date:

2022-06-20 16:46:52 UTC

Tags:

hawkeye

Link:

https://app.any.run/tasks/fab2f9ab-fcab-4bed-87f7-f8df0b98f953

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Cerbu-9952791-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

DNS request

Sending a custom TCP request

Creating a file in the %temp% subdirectories

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cerbu packed

Link:

https://www.filescan.io/uploads/62b0abce3c1286f07352eb75/reports/11420978-eb6f-4c72-8e58-2d1d16c31385/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/068db031-322d-48a8-bad0-fd34286140eb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1016534

Signature

.NET source code contains method to dynamically call methods (often used by packers)

Connects to a pastebin service (likely for C&C)

Machine Learning detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818/

Threat name:

ByteCode-MSIL.Adware.RedCap

Status:

Malicious

First seen:

2022-06-20 09:45:50 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

11 of 26 (42.31%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vq5tfkk54wv7trhchjxq6mdjd74ofdb6nje3jkgjeher3jqxzama._file

Verdict:

malicious

6339a14fb049a069fed24b0a9827ab82710426e174139d172a6536bfb1519402

7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2

84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c

8aae21852d1307637f69490d55c5f3b62be9d4f0d1860236d8bce98edb3032a4

c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0

cd44752a2e61a21cb5f01b7a791c60aee8b36c8a34b639ade2ce55f30054afe2

d8973dcdc7704e93175add543a41e8322bdb15c4f92b2fa642713ed09681ffad

+ 445 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/220620-vtpvasabe8/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Legitimate hosting services abused for malware hosting/C2

Nirsoft

Unpacked files

SH256 hash:

35b8b8eb934516b9a2c6ffa15964c7ac8129de9b17c5597dafcadc06a72a164d

MD5 hash:

22f5914f975af9d0f6072af6cd160f46

SHA1 hash:

ea07ffbb7a57e53a2d01fe541d5dbfee39a2f242

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

fe99ab3487d51765a5c8b0bb30a50996140bd0e75cf28aa47cd5dd5ffbd0f6ad

MD5 hash:

62cefdc6fe9ca40f8c826602c6a48945

SHA1 hash:

fb33fb101e7b330d0d4925725a573284fe04c303

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

a304ed889615faa94fbf71a0afb1b87411e6d28f5778734a1e2e6855ffece005

MD5 hash:

39aebf485f36a679a2c3a9e387c96d1e

SHA1 hash:

e50520663500be15c09d3ecd3285fa5a592d7d0b

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

57ed3a8b06c3ee40450d175eae8058edd164c20e95644614cc497cefdea01a00

MD5 hash:

8a5e8bb8e0caad41d88c75223009f110

SHA1 hash:

cddad5b3b761f8a6762b9ba6e5a5526d49c91339

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

f2245263b4b26b0977bd5b6824d0ddeb5e83876008e1e68b9fade0a564e63fe4

MD5 hash:

59dee31201ed259111e24b21b02685f2

SHA1 hash:

2b11d46014afc83c82d5b31e2b8999c6c65f9f34

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

db8620032bdb93fb4b94b0ad2adcf083da0d17ff9d56345b2a923aa8c3fea75b

MD5 hash:

23708edd623342fab5c3db5f9f23369d

SHA1 hash:

074c643b39ef0741dfd5da2f52c0b90e6b79166f

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

SH256 hash:

ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818

MD5 hash:

e7cf029a03cdea32cd9eee3dfeab1e02

SHA1 hash:

f281fcffe6c39fe9b549056c158f08b5739743d5

Link:

https://www.unpac.me/results/3e2cbd22-4866-4b94-bcb3-7929aed78923/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ac3b32a95de5abf9c4e23a6f0f30691ff8e28c3e6a49b4a8c921c91da617c818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample