MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87
SHA3-384 hash:	552f0f317acd97c9db8b659750503eddebadd2a5c40bf797fe6d7c2acd5ed1fc89db692dc6b29571206b18e26d77c5a4
SHA1 hash:	54996a0afc99fc23a5e8a76e1c330a54b93df2fa
MD5 hash:	67714f554ef990cc09ff146fd236bf5f
humanhash:	sodium-harry-wyoming-video
File name:	Doc#662020094753525765301499.pdf.exe
Download:	download sample
File size:	2'325'504 bytes
First seen:	2020-08-11 18:41:07 UTC
Last seen:	2020-08-11 19:37:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	49152:UnzNxjduuaq4w+JDS0TJ9VeznYELJlTIA7pqWc2ldvnjOlgTL9tr/:u0qD+9S019VeznrlTX7pJc2POM9t
Threatray	16 similar samples on MalwareBazaar
TLSH	9EB5331563D54A69E0BE1F3DE362141087B39D1E1733C73CAFC747AA4A27AA14B62F12
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/43711/

Detection(s):

SecuriteInfo.com.Trojan.Inject3.50149.28270.105.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Forced shutdown of a system process

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/420115

Signature

.NET source code contains potential unpacker

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87/

Threat name:

ByteCode-MSIL.Trojan.WrapAgent

Status:

Malicious

First seen:

2020-08-11 12:36:36 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vzlnk5meqgmary4lnnbq3udgufgmanwoyvukbazn4chd6zn4zsdq._file

Verdict:

unknown

39734faf0a577140648e7a9c46220d612bd334a14c547e33a08af07e102fce30

61079c74aff96424d4b6d794636faa4d7bfd9df2ba67a506164d4168ca6bb234

6b24da236543d38133dc41cadcf3dea51bc290479b3d669031a2c8668a620648

9dbd3d33f93d61659ba4cf9213ed43b694f091bd08ba634595f68576f0881fcf

b612173e75cc939bb718725850a57a1487095d863db268758b5ee0bf2463f89d

ceaa237a1cecea60118cad22275777cfa4ff64ea121d317d7e32ab3df4e10412

f0e0f6dc0ab4b552d2e5fd7053c5c57c7e6c6f21a11fe34da5fd9a01f0b24753

f82a4ad4189e3822973aa5944204daadb70d5e47460a6026ec9f274d74dfee04

fa2fea7b2c7e6d02c40890b178133c0c21e6e1182c170c09de4550e85c98e67f

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/200811-wvael21ksj/

Behaviour

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Looks up external IP address via web service

Uses the VBS compiler for execution

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/43711/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample