MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220
SHA3-384 hash: 73c78f7359ef995377c3d68d0bd2eee1ff5c652062faef415f77d2da6234ce7184add38564201d5e93d0fe927aaf236c
SHA1 hash: 91d2af3d463821562b8fe9be06d4b304ebc2585b
MD5 hash: 70a9b681d28137cfb4f0b4ab59ef51c6
humanhash: glucose-william-bravo-batman
File name:SecuriteInfo.com.Trojan.GenericKD.62304848.17781.10932
Download: download sample
File size:129'024 bytes
First seen:2022-11-15 18:08:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:8kIyEk+sfa7YyBJFYDmuStguz3j2qtB+KN+m1+zAqSoMY:8kIyxfaDJFYCuStgoiJ++m18AqDM
Threatray 1'764 similar samples on MalwareBazaar
TLSH T1AAC35B023784C722D854147B82FF056403F1ADF7EA76EBD67F9C766D1A112A2AC89EC4
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0000b2b2ccf0004c
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
arkei
Create hunting rule
ID:
1
File name:
f552b32f88a9508a1b3141c1f6a4bcea3f06c7146c87718182b31ca2b3c42166.zip
Verdict:
Malicious activity
Analysis date:
2022-10-24 16:59:34 UTC
Tags:
trojan evasion arkei redline opendir socelars stealer loader rat tofsee miner
Link:
https://app.any.run/tasks/d03b8e96-3629-4bce-a216-4218f8f51bcd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/334451/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.62304848.17781.10932.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6373d5c007c3f5e84a014d5d/reports/459b19dc-c32d-4ecb-aa32-385c603eaed2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0244d6a9-f9b1-4fca-a969-928e4aaabdaf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1114113
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2022-07-13 16:56:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynbdhazluwhglx5pg3l34hctsuzgvh3ad2euyzqvosflkyaoaiqa._file
Verdict:
malicious
Similar samples:
2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858
3a25da07a992068bb3c251387f4c2f3fd61818eea0939a700a4c2c3bedfca312
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e
711d8a94c429866e76447eb867f6408eb83b85d9bbea615084722e6055a9d939
736f9602b14da32716ae030c59df040465df95ed48c964b33486c04b0ef1002d
7c23a4178b8fc14dedfd30b2b8fe462b4d936210bc64d6a14671b14a9387306a
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
f9b03c723f0707c47dc00e0d77ac55559d2cd07cd6b38a67126e535068ca05dc
+ 1'754 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221115-wrfdhsba31/
Behaviour
Suspicious use of AdjustPrivilegeToken
Enumerates physical storage devices
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c4c494db-bbc0-4d4a-b884-5736c5e1dad8
Unpacked files
SH256 hash:
c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220
MD5 hash:
70a9b681d28137cfb4f0b4ab59ef51c6
SHA1 hash:
91d2af3d463821562b8fe9be06d4b304ebc2585b
Link:
https://www.unpac.me/results/f82c16a2-0af8-4b9f-9e28-e83d1de28ef1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c34233832ba58e65dfaf36d7be1c5395326a9f601e894c6615748ab5600e0220

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2412949/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/334451/

Comments