MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f
SHA3-384 hash: 6b4311f301953ccf49d098e8794daea81952b3b4302ee62ca32a32aa4b069c607ba05df36ab40d531175801d3d4804f2
SHA1 hash: 8d375a7c4986af96aa8fbbe935459ce081b43fbc
MD5 hash: 5fae7c2fe51a1d8c3ee88641fd746045
humanhash: carpet-xray-east-nuts
File name:5fae7c2fe51a1d8c3ee88641fd746045.exe
Download: download sample
File size:923'648 bytes
First seen:2023-04-14 06:57:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:4ZRqfI7DAp+2KFEH0fX8kvwQbN+48H2EGmb4MvPp20HlwfWaGK/vHZsxDTqXG7:eqKF9XdIQhSH2EGmb4MvPpn9ap3HTM
Threatray 103 similar samples on MalwareBazaar
TLSH T17D152321725C5F1AE26967F03D0E630623BB665BF236FB192C8840CB6B3B3544195E9F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
236
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fae7c2fe51a1d8c3ee88641fd746045.exe
Verdict:
No threats detected
Analysis date:
2023-04-14 07:00:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce10f50d-7bd2-4f71-a637-622fd89c4498

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382204/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
86%
Tags:
comodo packed
Link:
https://www.filescan.io/uploads/6438f9818cbb8f4be303bbda/reports/6226535f-ae47-4cdd-bb0e-67251584f0ed/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/02abbaeb-1226-4e5e-8451-5912a0e60e74
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1213725
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 846656 Sample: kJVYzNzvvO.exe Startdate: 14/04/2023 Architecture: WINDOWS Score: 60 21 Multi AV Scanner detection for submitted file 2->21 23 .NET source code contains potential unpacker 2->23 25 Machine Learning detection for sample 2->25 6 kJVYzNzvvO.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\kJVYzNzvvO.exe.log, ASCII 6->17 dropped 27 Injects a PE file into a foreign processes 6->27 10 kJVYzNzvvO.exe 3 6->10         started        13 kJVYzNzvvO.exe 6->13         started        15 kJVYzNzvvO.exe 6->15         started        signatures5 process6 dnsIp7 19 192.168.2.1 unknown unknown 10->19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f/
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2023-04-14 06:58:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xcm5hvhimdhuhwjhj7vjd3o6aihsf43y3q6pjcsgj443amk5imhq._file
Verdict:
malicious
Similar samples:
04a42e9d0b1c019989d91249331e0920703296490ab8a565bed15e1a0e1742fc
3a7511034e72aa8874f3763cb01604464c74571237bc08906578ed9dcf2c137f
5139217f06a06c8e1ed07dc698e466753577c1b5d8c54bf9fb698d13df19b31a
5bfe34e8eb631772435358e76505165c19651fb9750c1817a602e6e27d12c3bb
655260800846128f96bb9bd7e4926711a5b75df01f36ae7dfa5b2197f1105f67
74f0cd3a4b819ccc977a778fccba82e096dec880a6dba59641fedbdcfb4f7292
b84d775cf5de9234ec178e4a94c5c459f0c6e8ad3bffc977ba20b116b4d9d88e
d47c8ba828cb3c52a859e80ea08a306dcbe0c75d957c1809580d08e37c6407a7
f57536badf2858c34c301bc1fd7e237a1f700f3e48c6563cdf4ada287d1151f2
f8d91c8bc33c75ab7794e0c0a8498110cf03403daed2caf77a47975402be2e48
+ 93 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230414-hrha8aac3t/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
SH256 hash:
e3619fd5c6a40a1cd7ffe516e4aa2fa1ac00d8e8d7dbae5b539c82d47d376d46
MD5 hash:
31de95bd484f137c753b4ae7023afbc9
SHA1 hash:
613d037fd763557fe406c97edfd68c4202b779dc
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
SH256 hash:
b61628024d85666c1761b1a0ac3f87bdb7fb7b41a0353647411f364d48684579
MD5 hash:
4fb7cedd9062973643270cb9fb6ade61
SHA1 hash:
5a27be2c6b2bb959e829aac27ab5feb67b6f74c3
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
SH256 hash:
0d6cbaaa72fabb1f3dcdd808d86af72fdf5acc86428a9d3f6b59f41cad72559c
MD5 hash:
85b0dbb462a1ded9aec2559924d2dddc
SHA1 hash:
33dc7208c06fb649f4dab104ff3b4bd392109fc6
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
SH256 hash:
f074b2c09142fa55caae482b5ec6ba350fda0ac62329bb825d61f21e2e7059a1
MD5 hash:
567bbf43aac601560b1def4a872d4089
SHA1 hash:
21dfc6e6ecf39c9c23927c114ca911559ca4593e
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
SH256 hash:
b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f
MD5 hash:
5fae7c2fe51a1d8c3ee88641fd746045
SHA1 hash:
8d375a7c4986af96aa8fbbe935459ce081b43fbc
Link:
https://www.unpac.me/results/096d147a-4605-4a11-a82a-9069398d744a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Dotnet_Hidden_Executables_Detect
Create hunting rule
Author:Mehmet Ali Kerimoglu (@CYB3RMX)
Description:This rule detects hidden PE file presence.
Reference:https://github.com/CYB3RMX/Qu1cksc0pe
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b899d3d4e860cf43d9274fea91edde020f22f378dc3cf48a464f39b0315d430f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2283634/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/382204/

Comments