MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4ac41c87a05e54cdd6b31132994860cf61bc0ab2f04a8c7ff65ef3f585becf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4ac41c87a05e54cdd6b31132994860cf61bc0ab2f04a8c7ff65ef3f585becf5
SHA3-384 hash: 1b9d5d7ea692f5201bf6392a6cbe0045724563c5285cb5791aa59ac644105f9f3a32175607d249cef5e9f090fcf67cbc
SHA1 hash: 2a661328ec3710f65ffb0e14deff8deae1a3252c
MD5 hash: 864dda38ff773497a8280ba1a1d7d51c
humanhash: five-oklahoma-seven-friend
File name:Joinerstub_B4A.exe
Download: download sample
File size:2'824'192 bytes
First seen:2022-04-19 00:02:57 UTC
Last seen:2022-04-20 10:22:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:6E0oFTFgIDyasC9FmW2HznzoE1M3cH8GacvHbiCmp6KC8xAqIdn4ASX+md39LCTr:6v+pgIDyasCv+HvqWDDinTC8x0HST3t2
Threatray 9 similar samples on MalwareBazaar
TLSH T13BD533506CE67894D13E2F71CA70C9B7C6625106C84AD3EC0A147A6ECD707E4A6B3E7B
TrID 38.0% (.EXE) Win64 Executable (generic) (10523/12/4)
23.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
16.3% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.EXE) OS/2 Executable (generic) (2029/13)
7.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon a2a2e3e38383a2a0 (2 x AZORult, 1 x Amadey)
Reporter adm1n_usa32
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
270
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264447/
Detection(s):
Win.Packed.Msilheracles-9943143-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Searching for the window
Unauthorized injection to a recently created process
Query of malicious DNS domain
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/625dfc3bffe27d5119051bf9/reports/cb5accc4-65a2-4d0a-bd0c-f7472539901f/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5b019961-c63f-465e-b3fb-8cf2d01004a0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/978509
Signature
Antivirus detection for URL or domain
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Koadic Execution
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 610992 Sample: Joinerstub_B4A.exe Startdate: 19/04/2022 Architecture: WINDOWS Score: 100 61 c.tronlink.golf 2->61 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for URL or domain 2->75 77 5 other signatures 2->77 10 Joinerstub_B4A.exe 3 2->10         started        13 GAOBCVIQIJ.exe 2->13         started        15 GAOBCVIQIJ.exe 2->15         started        signatures3 process4 file5 55 C:\Users\user\AppData\...\tmpDA85.tmp.exe, PE32 10->55 dropped 57 C:\Users\user\AppData\Local\...\XtJHoOqd.exe, PE32 10->57 dropped 17 XtJHoOqd.exe 3 4 10->17         started        21 tmpDA85.tmp.exe 10->21         started        process6 file7 51 C:\Users\user\AppData\...behaviorgraphAOBCVIQIJ.exe, PE32 17->51 dropped 67 Multi AV Scanner detection for dropped file 17->67 69 Machine Learning detection for dropped file 17->69 23 GAOBCVIQIJ.exe 4 17->23         started        27 AcroRd32.exe 40 17->27         started        signatures8 process9 file10 53 C:\Users\user\AppData\...behaviorgraphAOBCVIQIJ.exe, PE32 23->53 dropped 83 Multi AV Scanner detection for dropped file 23->83 85 Machine Learning detection for dropped file 23->85 29 cmd.exe 1 23->29         started        32 RdrCEF.exe 44 27->32         started        35 AcroRd32.exe 2 5 27->35         started        signatures11 process12 dnsIp13 87 Uses schtasks.exe or at.exe to add and modify task schedules 29->87 89 Uses ping.exe to check the status of other devices and networks 29->89 37 GAOBCVIQIJ.exe 29->37         started        41 PING.EXE 1 29->41         started        43 conhost.exe 29->43         started        49 2 other processes 29->49 59 192.168.2.1 unknown unknown 32->59 45 RdrCEF.exe 32->45         started        47 RdrCEF.exe 32->47         started        signatures14 process15 dnsIp16 63 c.tronlink.golf 156.248.77.90, 49760, 49852, 80 Africa-on-Cloud-ASZA Seychelles 37->63 79 Multi AV Scanner detection for dropped file 37->79 81 Machine Learning detection for dropped file 37->81 65 127.0.0.1 unknown unknown 41->65 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4ac41c87a05e54cdd6b31132994860cf61bc0ab2f04a8c7ff65ef3f585becf5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-17 19:43:00 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
034e8e297165eeb14372eea7a7e68756e561df39b84c5be924e542a36dee7418
569afa7798750e707f1705098a4a21a578f35e903969602088af2e03a94a26c5
6c5c35c34b7808d48cd428051263c39f70c7beb10a4e426d6e348d52c2cfe53a
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5
7c0790ce5a7cfd7a3ab0af70a4766b7003bdf8eb2e366f5c74f609c57c34f4bb
9f86527e3ca4530bb3209d8608dae083afab4ef2cf7b0ae23bcd6fdc322a0c33
f1c5be0df761f43d265a1e7057f59a05b1f78f3bafabd7a9145fe195fc6db97a
fd64e524e0f85d83e28e36f15bcb4033b508abcb3695c02612f56e4122b8beb7
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220419-ab15dsdfgj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Unpacked files
SH256 hash:
757eb1dc48fc181b770984905c3ec14c7be9c8f9bdf813108417e318479051f5
MD5 hash:
c8d852fb1561658cae72fa498777bfbd
SHA1 hash:
ea689804b69e9e7611059d11eff2fdadd656e6fb
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
SH256 hash:
a36e5c8960f27edfe6faac02d2b5912317dce0b9ab558378680303e1b15503de
MD5 hash:
90261f729f296a8a65488286f9c52df1
SHA1 hash:
a75e01a587ba922b186d9eab167bddfcd29decc5
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
SH256 hash:
7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a
MD5 hash:
944ce5123c94c66a50376e7b37e3a6a6
SHA1 hash:
a1936ac79c987a5ba47ca3d023f740401f73529b
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
SH256 hash:
48f144f744a9ce60659ee8cc7094610252aecbabf95492fbc612db919d144918
MD5 hash:
d9e08ec1c571d8139255cf305e3fef40
SHA1 hash:
72aea7c18c901a3246eb276258e3b37a95048b4e
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
SH256 hash:
6e1337b4c35f1aeca5925b7307c0ed7273507f8fbc482594278084da4a609513
MD5 hash:
a1e92769af538214dd236bc6ead1e965
SHA1 hash:
1fe5903c62b0670b6453cc104cc724b5889fb55e
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
SH256 hash:
b4ac41c87a05e54cdd6b31132994860cf61bc0ab2f04a8c7ff65ef3f585becf5
MD5 hash:
864dda38ff773497a8280ba1a1d7d51c
SHA1 hash:
2a661328ec3710f65ffb0e14deff8deae1a3252c
Link:
https://www.unpac.me/results/9ee52ded-d195-4d38-8e27-fc051189bcc2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/b4ac41c87a05e54cdd6b31132994860cf61bc0ab2f04a8c7ff65ef3f585becf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/264447/

Comments