MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2515df7e9eb70d6b570111a20ef302156cba0a672d6a8632a01c67d7fc20b4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2515df7e9eb70d6b570111a20ef302156cba0a672d6a8632a01c67d7fc20b4e
SHA3-384 hash: 2c2d9008f295ef9d22a015fdf39d0884842deaf57629635236d4ef53aab5ef1e049b14092cfbc386f6af8e25ad62a750
SHA1 hash: 04ebcc98bd979caef9deda7d6dbbf797280ded84
MD5 hash: eeb6d0d7b996849adce802bb85564669
humanhash: victor-bacon-white-item
File name:Massasds.exe
Download: download sample
File size:3'337'728 bytes
First seen:2020-11-12 08:09:06 UTC
Last seen:2024-07-24 20:30:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 98304:IDFoLlDvF1qda+Ou9LyPpQ+QQJBrrSvhzakWi:IBcvF1qdaKKZSvhO
Threatray 908 similar samples on MalwareBazaar
TLSH EDF5339AB37E78F0D04262B2B25411010472CA9A3F955B2F77F486D44F7BEB9169332B
Reporter JoulK
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Msilheracles-9786346-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching the default Windows debugger (dwwin.exe)
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Moving of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Qulab
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/532119
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Qulab stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315161 Sample: Massasds.exe Startdate: 12/11/2020 Architecture: WINDOWS Score: 84 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Qulab stealer 2->49 51 .NET source code contains potential unpacker 2->51 53 2 other signatures 2->53 9 Massasds.exe 3 2->9         started        13 WMADMOE.exe 2 2->13         started        process3 file4 41 C:\Users\user\AppData\...\Massasds.exe.log, ASCII 9->41 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->55 57 Injects a PE file into a foreign processes 9->57 15 Massasds.exe 2 9->15         started        17 WerFault.exe 3 9 9->17         started        20 Massasds.exe 9->20         started        26 3 other processes 9->26 22 WMADMOE.exe 13->22         started        24 WerFault.exe 13->24         started        signatures5 process6 file7 28 WMADMOE.exe 3 15->28         started        39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->39 dropped process8 signatures9 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->61 63 Injects a PE file into a foreign processes 28->63 31 WMADMOE.exe 59 28->31         started        35 WerFault.exe 17 9 28->35         started        process10 file11 43 C:\Users\user\...\WMADMOE.sqlite3.module.dll, PE32 31->43 dropped 45 Tries to harvest and steal browser information (history, passwords, etc) 31->45 37 WerFault.exe 31->37         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2515df7e9eb70d6b570111a20ef302156cba0a672d6a8632a01c67d7fc20b4e/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 13:16:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1915126c27ba8566c624491bd2613215021cc2b28e5e6f3af69e9e994327f3ac
23ef17c8a9fbcb6c35549aff9263566bec6e3fbc61e6bdfb9715d2595a1ee003
6cebbb0e3d8d28117e67f18212a9847d0262fd4e616def639be1071f1c33b8fb
6d1cfff093998c807b9c5dc3fd122adbea40c5bad0cad4cbe10b43932c28bdd9
b254d7faa603b46c4c63f6d1f88d65767fb80638a000967fe527b9572b956e35
b2c546db519f541e77933c1ae7884047df59775c05488c766a5b1b96eff1cb79
c1f0ba6302099b8f7ef1ce28a333764efdd308cccc761ba4fcef2af386f13090
c3ecd490c37b81d4675c4f57cb6417e62edf45e4ce6890dc7ae7fc99d3ab207e
db6c57acf61c5e3fc79190feca4683089f6a05b8af985e49361d25995178e4d0
e942c853f791a2ebd37ae59344bf8878d9a02cdcb83848a68876c49497c642d2
+ 898 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201112-xlg6xeh8cn/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
ServiceHost packer
Unpacked files
SH256 hash:
b2515df7e9eb70d6b570111a20ef302156cba0a672d6a8632a01c67d7fc20b4e
MD5 hash:
eeb6d0d7b996849adce802bb85564669
SHA1 hash:
04ebcc98bd979caef9deda7d6dbbf797280ded84
Link:
https://www.unpac.me/results/4cc26205-11e8-4c0f-84fb-5ed8e2c032cc/
SH256 hash:
a1fe6dd596ff8e5da2bba22730332b756af09aa6855d44febdf82a0f7cddb1f3
MD5 hash:
326317a921490a30ee8d598bb5d57781
SHA1 hash:
4cb55be54c5827fa803a94cce5f7448f9b56a827
Link:
https://www.unpac.me/results/4cc26205-11e8-4c0f-84fb-5ed8e2c032cc/
SH256 hash:
cf67cda4bb07435927620e8db9903bbf4f9a1af40906df10ee81b636e320333a
MD5 hash:
8246bd685297d8a907bb55058e9fbb3d
SHA1 hash:
cd355e38935d45ad65a2899dd97d5fe8c5d675e4
Link:
https://www.unpac.me/results/4cc26205-11e8-4c0f-84fb-5ed8e2c032cc/
SH256 hash:
6135142e7c28f5b345da930e4164e6446d84c6ec3c747301010e07ef54a85e8c
MD5 hash:
748fba7d2798fc038c692f10668c06d2
SHA1 hash:
c555a157458b87f8b7cc1d37f08757402463765d
Link:
https://www.unpac.me/results/4cc26205-11e8-4c0f-84fb-5ed8e2c032cc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b2515df7e9eb70d6b570111a20ef302156cba0a672d6a8632a01c67d7fc20b4e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/809995/

Comments