MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c721b0763a2f11e043a9f309937f65e16e9a27f42e103ab45252c83727415367. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c721b0763a2f11e043a9f309937f65e16e9a27f42e103ab45252c83727415367
SHA3-384 hash: 9cbb6589b8422c628869b26048e22825a427cf7f2a596116a26ace1f84cd59c5a3e81458f6a40dfaa0f08b682152f2c3
SHA1 hash: 37257f24e27d367c963b4ae859cafe693ebf7d85
MD5 hash: 30d92f4ba9d87bd8b2415445c7d5b09a
humanhash: shade-leopard-nebraska-pasta
File name:Invoice_BNS.exe
Download: download sample
File size:2'321'456 bytes
First seen:2020-09-10 13:25:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:ZUiiprlcOGKIjtbt6UN51X5RcDKZHavKAFHgA/MDEyYNWfH3qNu6T:ZUiiprlc9p56uLcDDKW/05VW
TLSH 84B50202FB508A01C6882671D5A78D351BF3EDA73134E75E3E9872A52D733A68D2B3C5
Reporter James_inthe_box
Tags:exe

Code Signing Certificate

Organisation:UTN-USERFirst-Object
Issuer:AddTrust External CA Root
Algorithm:sha1WithRSAEncryption
Valid from:Jun 7 08:09:10 2005 GMT
Valid to:May 30 10:48:38 2020 GMT
Serial number: 421AF2940984191F520A4BC62426A74B
Intelligence: 307 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 2CF1EC6AB594113BD538DF6D5C940E3319B424F8756D975888072C6AB558B771
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58401/
Detection(s):
PUA.Win.Adware.Softpulse-6693796-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
DNS request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/463205
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c721b0763a2f11e043a9f309937f65e16e9a27f42e103ab45252c83727415367/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-10 03:14:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4q3a5r2f4i6aq5j6mezg73f4fxjuj7ufyidvncskledoj2bkntq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/200910-9j363gcmpj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Drops file in Windows directory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c721b0763a2f11e043a9f309937f65e16e9a27f42e103ab45252c83727415367

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/58401/

Comments