MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8
SHA3-384 hash: cd1b284e8f41b1941ca6e2dcab1a0771f536572ab9939a4fb80513ae81377109bb745f476f49ed71561fb3a77f0d74f7
SHA1 hash: 66ad0b0125f381b4e5d12b2eb7f20f95b3f38370
MD5 hash: fc6d55444facba90278708aad061e68b
humanhash: oscar-blossom-mike-five
File name:ORDER - 22242 KARAKTER - CAP-516212 SAV 1-40HQ container 6331832230.exe
Download: download sample
File size:2'056'704 bytes
First seen:2022-04-22 13:28:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:EX09KVfGoxBufKPSxLa3qIHZz/WImrjC+F7d:N4V1ufWSxWqYqW+F
Threatray 1'242 similar samples on MalwareBazaar
TLSH T143955B4EA2461D5AFD40E3B0CA773B252B9C9E7B084D635793A4713FA43F3A85E40792
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f4f0dcccccd6c0e4 (1 x XFilesStealer)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265821/
Detection(s):
Win.Trojan.EmbeddedDotNetBinary-9940868-0
Create hunting rule

Win.Trojan.EmbeddedReversedDLL-9940922-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated packed
Link:
https://www.filescan.io/uploads/6262ae4321260883b1995727/reports/032683ad-2c28-40ae-85b0-f66685e362da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3c7a12b6-dfd7-4c5c-be50-f4b695aec05a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/981389
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-04-13 08:41:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zdrqcnkjorpnidxehyucan4rnuxggzoy46pjjfygo6zf2ftqk7ua._file
Verdict:
malicious
Similar samples:
3c9e12f3f9ef87f807a395834268564d454b46df81a60d679353a89ed7fa18ad
3ff1a435a0ca5ff3346ef2663f83d8c472687078c2d20c0a567aefe91006ee10
44e1fc8d3558bd5caa25ec85f99363873fefdab67ec1a478e67a93ffa993c850
45440ff61950e60ffe3af3d1b56641f2e7b1f681510b37d25d50c0cbacecf6bc
90e04c24a8b6d9e6fa70821c848c1ccd7ff1f1bc2c78d19c5bc2fa09838a436e
cdd0917d044e094cf8f67787668dabaa1a8b3cdbb08859bcec8246df2e3fa6cb
dcbf9df2e983476aefaba6c89d3b7a8faee511738653568ff0008d8a8aac0aa0
de8f9a6e7daa6b84aa2795592c47c49ea1f5230bce9adc8eb0b8e08ecf71efc1
+ 1'232 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220422-qq749acdc8/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
89d1102561d1ae7dde9ac8f13e31ad1e9872b6adb1c35c7218cb3b88abfc0675
MD5 hash:
9a3dbb660d1add2046d336a91cdfac24
SHA1 hash:
2a24bdc712901a4270566e08cf9943bb31ec7411
Link:
https://www.unpac.me/results/c8fdf42f-d32b-44d3-b837-7427375f93ec/
SH256 hash:
c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8
MD5 hash:
fc6d55444facba90278708aad061e68b
SHA1 hash:
66ad0b0125f381b4e5d12b2eb7f20f95b3f38370
Link:
https://www.unpac.me/results/c8fdf42f-d32b-44d3-b837-7427375f93ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c8e3013549745ed40ee43e282037916d2e6365d8e79e94970677b25d167057e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Typical_Malware_String_Transforms
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research
Rule name:Typical_Malware_String_Transforms_RID3473
Create hunting rule
Author:Florian Roth
Description:Detects typical strings in a reversed or otherwise modified form
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265821/

Comments