MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f
SHA3-384 hash: f748cb347dc58cfda48332580dffd86e9fe5348ea8b94955929e2b66100afebba269f833c88ebb14a2478d03b24626c8
SHA1 hash: a0d81423af119a50840be5d1b7de55c6523173dc
MD5 hash: 924daeaeb20c3bd422ef77950ab14948
humanhash: kansas-nitrogen-floor-happy
File name:924daeaeb20c3bd422ef77950ab14948
Download: download sample
File size:67'512 bytes
First seen:2021-10-07 10:42:26 UTC
Last seen:2021-10-07 13:13:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:BrTqToFNppdN3OmrgBmD4pt71NBx7Xx4tgwfiNPah07+l2pKXgkB2Y:BrTqFd7BpSSwfiNm07+l2pKXgnY
Threatray 494 similar samples on MalwareBazaar
TLSH T1AD636C861709EB66D17FEB3994B2554017FAF607D726FA1EBEC400EE06A3F414600EA7
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
924daeaeb20c3bd422ef77950ab14948
Verdict:
Malicious activity
Analysis date:
2021-10-07 10:44:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/85eb9f3b-af64-4e0e-b417-27333571b797

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195811/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.13403.29455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Deleting a recently created file
Creating a file in the Windows subdirectories
Launching a process
Creating a file
Delayed writing of the file
Blocking the Windows Defender launch
Blocking the User Account Control
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/615ecf3898a6280f393393dd/reports/4865a936-f94b-4ae4-9366-fccb218e27a9/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de8f4dbd-6c07-4fed-88b3-67042a7009c1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/866277
Signature
Adds a directory exclusion to Windows Defender
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via CMSTP
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Defender Exclusion
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498708 Sample: u6TjeODCFF Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 64 127.0.0.1 unknown unknown 2->64 76 Multi AV Scanner detection for dropped file 2->76 78 Sigma detected: Powershell adding suspicious path to exclusion list 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 7 other signatures 2->82 8 u6TjeODCFF.exe 24 11 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 70 cdn.discordapp.com 162.159.130.233, 443, 49737, 49741 CLOUDFLARENETUS United States 8->70 72 192.168.2.1 unknown unknown 8->72 52 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\...\???????????????.exe, PE32 8->54 dropped 56 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->56 dropped 62 2 other files (1 malicious) 8->62 dropped 86 Creates autostart registry keys with suspicious names 8->86 88 Drops PE files to the startup folder 8->88 90 Creates an autostart registry key pointing to binary in C:\Windows 8->90 96 3 other signatures 8->96 19 ???????????????.exe 8->19         started        24 powershell.exe 26 8->24         started        26 powershell.exe 24 8->26         started        34 8 other processes 8->34 74 162.159.135.233, 443, 49757, 49760 CLOUDFLARENETUS United States 13->74 58 C:\Windows\Temp\ps2oddhf.inf, Windows 13->58 dropped 92 System process connects to network (likely due to code injection or exploit) 13->92 94 Multi AV Scanner detection for dropped file 13->94 28 cmstp.exe 13->28         started        60 C:\Windows\Temp\wtacpbui.inf, Windows 15->60 dropped 30 WerFault.exe 17->30         started        32 cmstp.exe 17->32         started        file6 signatures7 process8 dnsIp9 66 162.159.133.233, 443, 49752, 49753 CLOUDFLARENETUS United States 19->66 68 cdn.discordapp.com 19->68 50 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 19->50 dropped 84 Adds a directory exclusion to Windows Defender 19->84 36 AdvancedRun.exe 19->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        42 AdvancedRun.exe 34->42         started        44 conhost.exe 34->44         started        46 conhost.exe 34->46         started        48 4 other processes 34->48 file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-07 10:43:07 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1f4ccad233d733ecf2c0374593f95ea0bd521a17e82206b17fd74948faca974c
368800079ca773a707d437855a41fa422f7337f3a9f36aff4f974301dd801089
519ba7ae267491633e2a01e55735586ba94829871e5c4ec2fe0a5c8fafe004b8
70cb4ed4ee85184589dc4b5bb72dd1313b133b428e6604bde1a7e1da7fb216ae
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
a24f5f4b32db9b6d284e1abd91640aefffd14dcc2c3c7b3942f6a7c02cfdbed2
a397a5fde8ef63a32f7867346eebabd48d1ddf0a60c0d95abf431d9d2c51e017
b3847e885fde014d20644ed7e2ac69d8c6708b05700a416721de68e77d7cd66f
c7ce97bf28191b9f81871421f7f6fea0c86fca516d3e8706e16c0f07e9e7ed5b
d642eb17671f269eddc3d1045845374a45eda0a7c3fd197d8b7f6a3355ba01d6
+ 484 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211007-mr866aceaq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f
MD5 hash:
924daeaeb20c3bd422ef77950ab14948
SHA1 hash:
a0d81423af119a50840be5d1b7de55c6523173dc
Link:
https://www.unpac.me/results/8917765a-2458-40f9-8011-2d3dd28ed1c0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cbaaeed0df4f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cbaaeed0df4f40e0ffeaa58c35dc0a42968b9a8c53491d459980375c58da268f

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1659513/
Cape
Cape
https://www.capesandbox.com/analysis/195811/

Comments


Avatar
zbet commented on 2021-10-07 10:42:27 UTC

url : hxxp://elodomum.pt/js/star.exe