MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2
SHA3-384 hash: b11dc56f3ec33a66c36f499aeecf82ad4cc845b7c570eaeeee574d6f715c3583662f642acc4532b4ffc9f5efd3cb3e65
SHA1 hash: a81e91ee3ba4b33d6ff7e14c41b83b9f6a1b4a78
MD5 hash: 901b1e4aea3aab67657476ba5f75c02b
humanhash: harry-florida-autumn-triple
File name:901b1e4aea3aab67657476ba5f75c02b.exe
Download: download sample
File size:1'526'784 bytes
First seen:2020-10-31 06:47:48 UTC
Last seen:2020-10-31 09:00:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jrVn8Hq8/NX+w354Pe6qvpCrP24NkKQEJGt9JmND4OKNjLcPK4lB/gYLNuLv/5:jr
Threatray 124 similar samples on MalwareBazaar
TLSH 2465373D6E5826E76173E635A1E60187FAE825C673781C8B42C33B1C2A4EE063D9735D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/81417/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44247401.26789.19526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Changing a file
Running batch commands
Creating a process from a recently created file
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the Windows subdirectories
Launching a tool to kill processes
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/517482
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307844 Sample: JRul4UqGUp.exe Startdate: 31/10/2020 Architecture: WINDOWS Score: 84 53 Multi AV Scanner detection for submitted file 2->53 55 Machine Learning detection for sample 2->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->57 59 .NET source code contains very large strings 2->59 8 cmd.exe 1 2->8         started        10 JRul4UqGUp.exe 1 2->10         started        13 taskkill.exe 1 2->13         started        process3 file4 15 vauioorz.exe 2 8->15         started        18 conhost.exe 8->18         started        51 C:\Users\user\AppData\...\JRul4UqGUp.exe.log, ASCII 10->51 dropped 20 JRul4UqGUp.exe 4 10->20         started        23 conhost.exe 13->23         started        process5 file6 61 Antivirus detection for dropped file 15->61 63 Multi AV Scanner detection for dropped file 15->63 65 Detected unpacking (overwrites its own PE header) 15->65 25 powershell.exe 23 15->25         started        27 powershell.exe 19 15->27         started        29 powershell.exe 15->29         started        33 10 other processes 15->33 49 C:\Windows\Temp\vauioorz.exe, PE32 20->49 dropped 31 cmstp.exe 9 7 20->31         started        signatures7 process8 process9 35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        47 6 other processes 33->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 02:04:30 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2268c04275e6483759c53e8fc26f983591be004ac63afd19591da079bbf67875
3851e4da93c65618087cd06ef6ebc2bf69c3c8abc3f99198f29afed95d9f0079
49d9309eac532c0e556de20a5caab67bf0819266c5eee7aeb794472a3f70b3d6
7216531f7bdf08e92cf69d0754b27da97d716c62ec5294fa03ccebb7e652bfdb
723ec630211ca5a3268bd62e03caeec38b40e5d33c0e80908fec14332f006988
79aefd220ad57f02617c46f42f1c1eecd787b1149c19f2935b591525ad4390bf
84963ca54f8eb0ce82a218b12f064e0974f72bf100aa22452b1ebcb5a5d39db3
84ff047bcfc4af6e249a5b466477d1b72cf261fc5a40752a62a149158118224e
87846ad003a6ae72132bc3771c9179a5d9ed1857eca281fd53bab57ff6e93de1
f3d09b6eed58e5d0f2e4d89390284e30b6a29d81bec884559b4456d52b1232ed
+ 114 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201031-x7hg4cnkee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c569b5dd76b6c49a985b6f8dc69d4f7f7f5cc4dc301ea7bc0c80a3a63b7bdaf2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/572766/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446500/
  
URLhaus
https://urlhaus.abuse.ch/url/686533/
  
URLhaus
https://urlhaus.abuse.ch/url/572763/
  
URLhaus
https://urlhaus.abuse.ch/url/439722/
Cape
Cape
https://www.capesandbox.com/analysis/81417/

Comments