MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
SHA3-384 hash: 436727b4fa1bf58132d8fc5bd14a7632e5ea4ebd730b7dad0a304640b197a1d32358d5dc6b73af405ecc0227d95dd78b
SHA1 hash: c3e5b6b551649693d7def507c007149fa26a5da6
MD5 hash: 4d85d4d48734b6a26d601ef62d1527ea
humanhash: maine-romeo-fourteen-purple
File name:PO46723.exe
Download: download sample
File size:820'736 bytes
First seen:2023-12-18 17:20:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:kQwEx2iNS+uCiLdS5/uhJf285cO+KrNDORFlNw3IyMAyMBsfiW:Twk1V+oyN5cMkRb+Eusf
TLSH T12505C23C48BE2237D6B5C6B5CBEC8827F01CA46F3151AD6594DBC3A653C6A4274E322D
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f08f898c8e8a8fb0 (37 x SnakeKeylogger, 19 x AgentTesla, 17 x AveMariaRAT)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468317/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Win.Dropper.Formbook-9994358-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/65807f8103487a0d25d3b027/reports/942763b8-9fad-4292-9189-d24f37b847f5/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/61eca0ae-ef1e-44e4-a0a4-28171a7f1a76
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1364061
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0/
Threat name:
ByteCode-MSIL.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-12-18 10:30:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjqx3tgtczixoitkpqr677ln2tsr4dagy6wvpamo6fdb5svkcpqa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/231218-vwzghsbhal/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
4f4c0f968ff3c3e4b8c72657d6a45b6768c2dd5dd80e64f1e0dd1655f7bc046a
MD5 hash:
25ffda38f2648a4d3b31fe28d174caab
SHA1 hash:
ec75484b157ff4e087b6d95cd10081fd22099ccf
Link:
https://www.unpac.me/results/b3d81bd3-9cea-43dd-85a5-d42d5a4bb0ce/
SH256 hash:
d01f3dea3851602ba5a0586c60430d286adf6fcc7e17aab080601a66630606e5
MD5 hash:
579197d4f760148a9482d1ebde113259
SHA1 hash:
cf6924eb360c7e5a117323bebcb6ee02d2aec86d
Link:
https://www.unpac.me/results/b3d81bd3-9cea-43dd-85a5-d42d5a4bb0ce/
SH256 hash:
c681e39199e58b59eadda0b0fcf86b9fc2e6c43cb2ec392bc05627245b2148e4
MD5 hash:
44c9c77691c640a1c57dc3b82db6cf70
SHA1 hash:
4da3e3d560a75b61a381ed657e34b0ff89548568
Detections:
INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Link:
https://www.unpac.me/results/b3d81bd3-9cea-43dd-85a5-d42d5a4bb0ce/
Parent samples :
ada28dc16f1eb7d03ad145b01c1525e832d18bcd8a179dd68c1f5c4313b5853f
9496ea650a182fc8c1b87b205c226d44b7271186b473b156cfb727c2e81dca0a
2fefc7f1b4dec38932b815ef1192a4343c4face356016de5ede1c17958950975
be69955e99c6aec10c257ba0211df9cce2fd5af533a8932ba447b1450aa35699
59d1135fc573e663c3c92460520c6ac49ef035d3ad789cf69708cc6c6409a9bf
bb0563d0a398d0501bda4848f662f494dc8807b2ca7e81fd733d38e1145f1efc
ba33d177c1fbc1f4f44ae77af00eb377e9196b2f9f1556e94fd82b942883be13
9996fd83b852a172c456594e49d2a13d94b0c8d55a9a2d28e5658853ed819b28
c5cd096e51840ab5ceb8a29c7efedee7ae3f16562bdd4779b5b1bd44dfc784e4
128b915c058609131a3ae2ae25b26aea06b51a0001bb9b9794b9cf401f16668c
961501b7f2e2ba7d255fc9cc4de8dfd0697dd2265c2e4e316f92854166614c31
5c7c411ea48976a55a30558e1ce6147a7f28b6b99d84083e1f01de1db86bb588
9dd7786a5c103076ba73cce2e2a3dad65a6a76684c781a86d924cddf9bffc8b3
a3980c5f653e99fe53dc88f60a9ca1b4954b8cee932085ea57b1f46b9c7ab4c1
30f5366a61da542dd959a186cf9ae3cbc13efa1d66fcb67631b62cfd8ee52612
9feeb14ac128b73d9c6eaaea8c91272ed93a1780c126b6ca90ed077f1185484a
ea93863c147402b54407c3a1eff90043b55e76a08aa3ff4a8823469dd4d9def5
46295ce76105598ad1d887f772d13391523cf76347b3ce1f8be1db96053c278c
9704e443a68009427028c22fdb39eb3e28a32709d42358b1df4c95d16a4112fe
ac44b7c74193bdc699761d10f631bde2dd81b7f4d23d57f6cd240c62a9b26331
6464a6492dd967af2d0582451a3574b456699f0337cc6b10c088988078fed79f
4c3c1031279a42eb5955cccfd5a006235cd27b909503d10ad4eb1c10dc5cebfe
e404945ee6da74e3dda8a92dbb0e7e163c46a48c84aa0a291456a0f66a5030fa
5336c951ff27b8609dab0bcde98c674d54e972eafc5514039d0a893fdd52a965
b25ebc1b52d81dfb1cf844c3b87d65c0a307589b2775c12aa7c7c2ebcf74fcd1
6bffe8588990f845c6eeafbdd359e2355dbcd68de8b0605175935886857970bb
0390ab5a06e04c8c38776aeeea11fd0352230d049be1defb139e71e8906114ba
3e43fe5dce47c5a3115320ac38040f4b6367e58356a06810ca638579da1bf3d1
fccac8700366b9cf48eafc5c012a1616534d26fc6501d4014e56a0619d5d0db4
b965df83cfeec960e1372166cd73d936ebfb3be2986db0bf953bf2b67b5209ce
3d537a7796fa465cdff1388141e37df9ff689007f024808b90381640f99b9b7d
9cf514b4555e47eccf07148c0e961250d108d04d8187a4aa224629f7a0961142
8737b9c5969931c61500427c301c40e635acec433bd4450e1dca9f202e97fb6f
6819d0ef008f17b3bffc407cbc8e37c43eabfdc39bdb10029afb535f542e4d86
7948315565e8321056661c7aabdeb10e01ca73d2425a6f6bd17593a0ffb484ef
531ba82cdd6f8cba501fd8c5160ec637c2193ce69c455dd8e591da083f2c80da
509f9d3065054df28846986ba9a1190361092f3bad865d77ef2ff10d32151ad2
abd4a743c4aa8fb625f1af14edc51606fc1b8e1a15396d9db706c1fd3cf41395
4a0a2c6bf6a863c1c56fb7b6657fd8cd60369e03fb40d8634eb5ee37d8575390
5721a2c6e2c0a577828b9e4b3690a18a7df63e541aeba65781464c1f73e8da91
24ba94ab2486ed9bbac37e3fb3508b6bb38ec8bafe1c0816719351e0790a21f4
e5ba53de1a80eda27337da32ad9bf522473c542fc42a434fff3fc843cbdf88ed
d2312c82b0ef97a5bfcf73173a4b72a720c2194278d6a7815091e4f4727e6a61
fe708d845a9c3e6d3338b2a146a4a5e68fe05d448b72a63bd60f4b431b243d9f
56cd0e12747b872def87829710c32165fc42e34ed351872e1750fbc13a8c31a0
93c052934438599045e6d9a3177f5d7d57960cad17070bc74444c1e4818bb81b
3de39937dbba16980b665dcf03505af8bd11a77a9f09d8e5ca69837932a9340e
b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
4f8ef9616b1237912967776aff09a8b8fea96837f78787911ce7405ecb4b001d
33208d34b4f679b8ec036d5be12f4d2ca960dbbd8af46b20247d5df93f1f63a5
3ae22f99bd5e1772eb6f9abb1d127c8682b5847b6e7e062d843ef236db85e828
94afbf76b9c59a5e2ae4bc864a78c41f92602c5b37e6771eb29864344b69dbce
b091bf4326241b1053f88a1a47618fee3f87ccdce873a9bb79e653670b7e4948
8d693225be9e1f824c20f3bc2f71a9c21e87a2b32bca274580b7abad75ecacbb
d02530a2bac21b47a1ecaafc185ddb11680c9a90d0fcb2c52b7b081b952f1cd2
01dbf52c9a79ce268fa7b5ab876ab6c8a8e6d5d5de70ccfacd11ca169e83908a
5c11be9fa69ed199fb4004a1fb7cf649d4f7e469b43c7b5f73f4867cecf89d18
7f2fea83dd18d529a6a6440334240fd6ea6cb4a84d4bfe1ab3213c894a7a51d0
0eed254ba5c7e7cc2b6ac08be4b1a450d453b58ed58d5b23caed7fb0db89961a
9dba8d99de990b1900e024e45a32d8ed2ffe06018ea422a92eb4a9cca56144e4
2b55e6baa2cf6110fb403cdf32cf7b9c06684e06a53a417b9f0bab73fb9c6747
71cabc7f66e840c073f576ee3051b7e4eb355bc28065a10eb06e5ec737d08221
61c11d170ceb320bafd7872824de7ce33d10fdbb5ef585e67487f9afcde5e207
4e77677a9a29e465f030c9a9695533c8dbde964ecc66585a0b9f26a1548ad3ff
0172a0a250dca4e77360389ca9a6ee4dec2f306bd056265c9a42de7af49481f4
cf672b77bf6d5faee34f9ebaca90fef0222b422db31d4464ec73126a15736c3d
00972929b3e57240b86f2812aca237acff75e09d18a55bcf575d22a2beb5fc9f
8e57e2bf33cb22ceaf6596ce060680e8efa099bdaaafc2383b1d31b24b0fca58
6d306743daac37b3fcc6276d1e507f504833ffb8db0839808c016a339a64cf85
7bacfc4148055cac9beba5517630e42a46ca8689bc8e6fd1bb25831e43e58582
e28cbe3c81e959dd96ca36cbf3585b4523ce4d75c989ffc16d756f71b3d2fe54
2b6f9aaa250051acb504eb782e963ef4bffca581d26d7c632b405f130ee5e09b
2b99095636ec250358f5abd47474a374de96f743fc2fadb89642401301e6b670
ef8e672ff4f30d2630ddebcf804c67d572e9979c949e4803654572479f486db0
e50bfa53e75f7c54582c2609f3c59db91bb47590a43a49e95e5458a6ae97ad4b
d6aa67de9b98880b2d666debd047112535c8527642220a81b72d6246b1eff210
0c263290cd7f3c225d5f7b2ba488ac5d9927b03411c566fd81b73bbee827c46c
0ca7d41fee3a2830bf3c46fad06e838fa2f3a362a3f62f58f1b3f0176146ddc3
937937444fbc2f971d32996dc728c166315195b25b2c0aa4befbef762b93ea35
46a870926fb693596e4fea1ff6ed4bd228d8cc63a9e285997ded48b1484ab3f5
8736f4327bdd2098d35ca3ed5c2733f3a066a434804b846277047ef097e09c85
68539ce65162c2526ee390f706b68e249e05e0453f2e5138dd77a9d5aaa9b54c
1e0ec921f531219f110e8bf1e1e5b5d757119ea7e2f1d885bfa234007548c95d
6474b902f837575873e3b356ef0939eedccf0cad4b07a82fc5b7aa80d3b46339
d9c3810761942c6191a8e2dfb22b2178d6970bf474a908a4af1bc80b3022a774
4dbdafb1f38d8d8f55f611e7e6985b3975658a8b0b652d80c432eff73812e21d
169ad5c33acf7a4aae70046eb2ac4e8f60c62c236065c616277b827ea4ec00f9
79658843a0028941539f3b437a8d262c78b15e6e58f4b1f7b96bf357b06fa84f
326f39b2d29896b3748625b4bab991da83ce7583b35dc0ed984455c77f24057b
18f9d778efc5dcb90c7ae7ccaacdfd8b9041295447759c1811e99a5d0a48dcda
a9ed7edf5b5cecaecdf126bafc6c85d3ca918363d874f3c33afc07131bc43c4d
26f693ee7807e9a341eb9936519194f587d1bd2998fdb734d36cd62b9a46b8b1
d34e493e8e0dfa5e9a04ded3565e2ed4d60473148e63aeb3fca9a7f62dc90900
70369453cd6e8481ce8f2fc4fa4074fb998a27ff6f91bce6caeab0ecac36493b
781fecd030f2f437a89dcf726a45e3eed218043316b35e80770a20a6f4bb62e4
c569fe7d3ccb9bf36356f829d5ab7de3ba4261d3beaffef1e690d8d197919c71
221df9cb593d75416b887497288cdd49ed654c164f1a752671301228a97e2282
97a3313357020aa0cda6addb7bd2015cc52f67dcde4c75f4d89f9f4d76f17b04
3e90bab5c79be10c283f3752091122910f7c5b9f35428a37eb0250d244d01f94
SH256 hash:
b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0
MD5 hash:
4d85d4d48734b6a26d601ef62d1527ea
SHA1 hash:
c3e5b6b551649693d7def507c007149fa26a5da6
Link:
https://www.unpac.me/results/b3d81bd3-9cea-43dd-85a5-d42d5a4bb0ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe b2617dccd3165177226a7c23effd6dd4e51e0c06c7ad57818ef1461ecaaa13e0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/468317/

Comments