MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f
SHA3-384 hash: fc34d00929a8004d1d771e75dd3e709b5826d338d377fee88dfa743b5c5752de852190f794f77f6076a8b24ac604d335
SHA1 hash: 48cf2b114dad13ba2cd5231e0c4bc5cbd9c39eef
MD5 hash: 217ea33be70a1a6f4b9dbb397341c7eb
humanhash: bulldog-september-delaware-sodium
File name:Login failed report.exe
Download: download sample
File size:660'480 bytes
First seen:2022-08-11 13:40:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:0toKggb2iNdvpc++xIoEXWRQmykU+x0PtXM2TgN/0s:woKgK1XpSmooVTD3gi
TLSH T1CAE48CAFBB8C450FCC628B31E84C81B99FA5BCA17912CDEFB9937526D17029C661DD10
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.3% (.SCR) Windows screen saver (13101/52/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Login failed report.exe
Verdict:
Malicious activity
Analysis date:
2022-08-11 13:43:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d8cb3fe-dc24-428d-bf32-efa77aad3fa8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/297991/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f50768080024921b69f506/reports/4357bc04-eb4f-44b0-9761-feb297e4aa9c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f5c31c5d-9e2c-4fae-a5a6-32a16c50ec09
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1049973
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 682483 Sample: Login failed report.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 72 19 Antivirus detection for URL or domain 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 2 other signatures 2->25 6 Login failed report.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Login failed report.exe.log, ASCII 6->17 dropped 9 Login failed report.exe 6->9         started        11 Login failed report.exe 6->11         started        13 Login failed report.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-11 07:54:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
79
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmnmg5bwy7hef7lozndhglseyyzl5jtelji45os7jymgncf67nxq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220811-qy359saag3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
9f94d5a55c2b5d2e9192eb5f64df7e0c949aeb93a7d18593a58c3f8b9c9c5158
MD5 hash:
ef3733cce7d9aae86824a593e22d103f
SHA1 hash:
e008ec271f1fa358a3d18559dd8776cde8a85dd5
Link:
https://www.unpac.me/results/fb924352-3469-49af-bf57-e257ae8c62f9/
SH256 hash:
18eb60c0eb3e1c610526d9f4b42684ac36a2ebb521514a8770dca2f2afd7f471
MD5 hash:
7ca239778f9f46d28b08876564dba525
SHA1 hash:
973b0d0d98a83b7dfcf1bfce04a179b0f070b98c
Link:
https://www.unpac.me/results/fb924352-3469-49af-bf57-e257ae8c62f9/
SH256 hash:
4c1e65f484d4bc16f323a174d502b8ea380167391b408d50219995afe8f6a8e8
MD5 hash:
419bf9ab66f07199b5ae5d55618b50fd
SHA1 hash:
2c23fa473ee5ce898bacb7607e3341fada7f0e46
Link:
https://www.unpac.me/results/fb924352-3469-49af-bf57-e257ae8c62f9/
SH256 hash:
9b4aee132a0228378d66a57fda3a2030952309ef74cf2db724ac916b04d8c034
MD5 hash:
93c6391d23c1aa1ed66fb13f82f2ee31
SHA1 hash:
220098c3047c32b51ae13a5cc1e9beeef3da6e18
Link:
https://www.unpac.me/results/fb924352-3469-49af-bf57-e257ae8c62f9/
SH256 hash:
cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f
MD5 hash:
217ea33be70a1a6f4b9dbb397341c7eb
SHA1 hash:
48cf2b114dad13ba2cd5231e0c4bc5cbd9c39eef
Link:
https://www.unpac.me/results/fb924352-3469-49af-bf57-e257ae8c62f9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe cb1ac37436c7ce42fd6ecb46732e44c632bea6645a51ceba5f4e186688befb6f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/297991/

Comments