MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1f5a601f284a8a4ebcafa64745433f2d02fbbd05eef1a2c95425464c827a2c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1f5a601f284a8a4ebcafa64745433f2d02fbbd05eef1a2c95425464c827a2c8
SHA3-384 hash: 613d336f39d5e01923081ea7c4643d6e75a5a2895abbd41a2b4459ee176e75cd53b6647ffed99085a70c65c6d4e41cbc
SHA1 hash: 4a2e5f074263820d63cadcf2fe788f2052bceedb
MD5 hash: 2debc277dafcd68af1fdc0bc930d4de8
humanhash: network-hot-beer-illinois
File name:Jsom_LINK.exe
Download: download sample
File size:284'160 bytes
First seen:2021-02-12 18:37:49 UTC
Last seen:2021-02-12 21:02:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 6144:dkQtYG6gQMP9+VlFqsl+HYlUTWP0Ua0cJx91a7E+MsPBCwzq8g:dkjo5FclFqsl+HYl3LlCda7E+MxwG8
Threatray 7 similar samples on MalwareBazaar
TLSH 3C54231897722699D2913F7168BB2642E964B728DC43E7C8A2C21734BF123BD4E50FF5
Reporter ov3rflow1
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
558d9db9309b918e
Verdict:
Malicious activity
Analysis date:
2021-02-12 17:56:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ec874da2-7a64-487f-89b8-f01fad750702

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116946/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.12497.10209.16993.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/607053
Signature
Binary contains a suspicious time stamp
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1f5a601f284a8a4ebcafa64745433f2d02fbbd05eef1a2c95425464c827a2c8/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-02-07 02:29:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a58855a902398680563edf448779739201772e044102fe1c733f54fa9c936c1
41e272c62e16b458816dd05ca01a7178d861ed61b6265ff87f6d04cdd1a50a4f
9254faf90ebf9e32ea3f024c10a212c03d7c2bef3169bd0710b3e45e7d18e03f
a717b5d3af3173ce9958a23f95269e2d8ccd8979445626342c32b398d4f08f8a
af65c9bd3daedaa3d1560018858eeb0919159baf90d59b55c3363a6fffef9d92
bee499c042e347713e243b9cfe9ccd53a439adf0081a48ec16a458114aaf1fe9
c80ce609bceb3fb3d9c3432d8d42503644299c1ccf9a1b9d6f82f116948fed8a
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210212-awq7bc9lrs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
dcb2b7567f611c8188fa54db013a20d30de664c0d3cf988da5bea2c49eeda61e
MD5 hash:
7b88602b36e07896c99360ac57cce510
SHA1 hash:
eed9dab8e47a787b259ed4409dfc2c7c94973b83
Link:
https://www.unpac.me/results/0e0929c8-26b4-4dc6-b121-4279112dcb32/
SH256 hash:
d838c40848daf87743e96d42f8db18bb66a0b27cff5a48926a85a61c2d3e05b9
MD5 hash:
0bfef61b203054f6fbf08419ffe3f018
SHA1 hash:
ed9d0418507630996eb2c473ec5daf11d185c2c6
Link:
https://www.unpac.me/results/0e0929c8-26b4-4dc6-b121-4279112dcb32/
SH256 hash:
f83204793796de4594d4c41f9727e7075ebcbeb437ae53545ed9b218a4d09d52
MD5 hash:
021e4e40806f898f3b27528dff66c881
SHA1 hash:
be926e473afc8a564ae377eeaf41a88da411114c
Link:
https://www.unpac.me/results/0e0929c8-26b4-4dc6-b121-4279112dcb32/
SH256 hash:
4a7c23fb1fc9103297eee4aed3084fb523c0c5c6b26492550dbf1bc904bcade1
MD5 hash:
cd5be3d6d6f72b4e517f1aacef222fd3
SHA1 hash:
1b55f54b61bd8673c8cefe07fac8f240fd38b5e8
Link:
https://www.unpac.me/results/0e0929c8-26b4-4dc6-b121-4279112dcb32/
SH256 hash:
b1f5a601f284a8a4ebcafa64745433f2d02fbbd05eef1a2c95425464c827a2c8
MD5 hash:
2debc277dafcd68af1fdc0bc930d4de8
SHA1 hash:
4a2e5f074263820d63cadcf2fe788f2052bceedb
Link:
https://www.unpac.me/results/0e0929c8-26b4-4dc6-b121-4279112dcb32/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b1f5a601f284a8a4ebcafa64745433f2d02fbbd05eef1a2c95425464c827a2c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/116946/

Comments