MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkComet


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a
SHA3-384 hash: 5a84a69f5eee654d9a80e31d7da6fd54d2cbaa1dcea12e8d48a470494e3de0dcedf1d39c382229238aaa75d0c2e05789
SHA1 hash: b8748cdb8ef7109a2052906d9f354dda9ff1203c
MD5 hash: 01b72ba5282097c70c9ae5db844e0ed3
humanhash: beryllium-oxygen-beryllium-high
File name:01b72ba5282097c70c9ae5db844e0ed3
Download: download sample
Signature DarkComet
Create hunting rule
File size:1'683'968 bytes
First seen:2022-02-22 16:47:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:hKNiKP2sgA6xW1w+xmMi5GkcyG9B6B931q4jeZxuGwg7zy6NjoBkC5Pyw8R1H0bU:1rodqGkKB+Pj8xzy6SBkCMnI
Threatray 3'118 similar samples on MalwareBazaar
TLSH T1FE75F10526A34F3CF5B91BB699C6DCA0B3A8EE275D08F33D79813586CBB17408852677
File icon (PE):PE icon
dhash icon a2b0aca6a6bafe6a (4 x RemcosRAT, 2 x DarkComet, 2 x SnakeKeylogger)
Reporter zbetcheckin
Tags:32 DarkComet exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
583
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_142204299.doc
Verdict:
Malicious activity
Analysis date:
2022-02-22 15:47:28 UTC
Tags:
exploit CVE-2017-11882 loader evasion trojan snakekeylogger keylogger
Link:
https://app.any.run/tasks/4f7dadbc-18af-4690-a224-a7b750e9cd71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Snake
Create hunting rule
Link:
https://www.capesandbox.com/analysis/243310/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.NanoBot.mc.30336.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Creating a file
Сreating synchronization primitives
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
DNS request
Sending an HTTP GET request
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a browser
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lokibot obfuscated packed replace.exe update.exe
Link:
https://www.filescan.io/uploads/621513caa2660f3bb92701aa/reports/1f703d10-5e87-40ce-ae66-146e219a339b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f5b01add-6ed1-4d1a-9ef4-b1f0cd10d780
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/944144
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576622 Sample: lkvAkVxVSW Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 80 Malicious sample detected (through community Yara rule) 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 7 other signatures 2->86 9 lkvAkVxVSW.exe 3 2->9         started        13 Synaptics.exe 2 2->13         started        15 EXCEL.EXE 2->15         started        process3 file4 56 C:\Users\user\AppData\...\lkvAkVxVSW.exe.log, ASCII 9->56 dropped 110 Machine Learning detection for dropped file 9->110 112 Contains functionality to detect sleep reduction / modifications 9->112 17 lkvAkVxVSW.exe 1 5 9->17         started        20 lkvAkVxVSW.exe 9->20         started        22 Synaptics.exe 13->22         started        signatures5 process6 file7 40 C:\Users\user\...\._cache_lkvAkVxVSW.exe, PE32 17->40 dropped 42 C:\ProgramData\Synaptics\Synaptics.exe, PE32 17->42 dropped 44 C:\...\Synaptics.exe:Zone.Identifier, ASCII 17->44 dropped 24 Synaptics.exe 3 17->24         started        27 ._cache_lkvAkVxVSW.exe 15 2 17->27         started        46 C:\ProgramData\...\._cache_Synaptics.exe, PE32 22->46 dropped 30 ._cache_Synaptics.exe 22->30         started        process8 dnsIp9 96 Multi AV Scanner detection for dropped file 24->96 98 Drops PE files to the document folder of the user 24->98 32 Synaptics.exe 202 24->32         started        70 checkip.dyndns.com 158.101.44.242, 49758, 49794, 80 ORACLE-BMC-31898US United States 27->70 72 freegeoip.app 188.114.97.7, 443, 49763, 49956 CLOUDFLARENETUS European Union 27->72 78 2 other IPs or domains 27->78 100 Machine Learning detection for dropped file 27->100 74 193.122.130.0, 49837, 80 ORACLE-BMC-31898US United States 30->74 76 checkip.dyndns.org 30->76 102 Antivirus detection for dropped file 30->102 104 May check the online IP address of the machine 30->104 106 Tries to steal Mail credentials (via file / registry access) 30->106 108 Tries to harvest and steal browser information (history, passwords, etc) 30->108 signatures10 process11 dnsIp12 58 docs.google.com 172.217.168.14, 443, 49771, 49772 GOOGLEUS United States 32->58 60 freedns.afraid.org 69.42.215.252, 49774, 80 AWKNET-LLCUS United States 32->60 62 xred.mooo.com 32->62 48 C:\Users\user\Documents\CURQNKVOIX\~$cache1, PE32 32->48 dropped 50 C:\Users\user\Desktop\lkvAkVxVSW.exe, PE32 32->50 dropped 52 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 32->52 dropped 54 3 other malicious files 32->54 dropped 36 ._cache_Synaptics.exe 32->36         started        file13 process14 dnsIp15 64 188.114.96.7, 443, 49885 CLOUDFLARENETUS European Union 36->64 66 freegeoip.app 36->66 68 2 other IPs or domains 36->68 88 Antivirus detection for dropped file 36->88 90 May check the online IP address of the machine 36->90 92 Tries to steal Mail credentials (via file / registry access) 36->92 94 2 other signatures 36->94 signatures16
Detection:
snakekeylogger
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 12:44:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvcih3q2emb4w7rhrhzvjfcpay5ofvnz7d5z6plncnvvhqryrnva._file
Verdict:
malicious
Similar samples:
2a7d77404a47a368e29147ecd69687338c3e0ebefb137d459b28ed0305420620
DarkComet
2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0
DarkComet
3c010d88a118ba3cc666e05c6f8f82159ac38e5486b5ed60c65d870287b8cff6
DarkComet
6e2c1783d043a360901610858e7469d1c667151d29e1cca0002db3bc131ccc37
DarkComet
6ecfdff224175dade2cbf63719974b5335c1a81cf787142681163ddf882ce00e
DarkComet
95272a070df2cf2988d238138d1eadcfeffe68e311d904f83969b2fd71b62f60
DarkComet
c3e4c2e1e242cf92142f4d4fb1896354cfa07089f40243b31046ff3eae8ac2c8
DarkComet
f325f118ddd27282969ef3c04032349cfeacf3dc7932f0443d6126a4788cbbda
DarkComet
+ 3'108 additional samples on MalwareBazaar
Result
Malware family:
snakekeylogger
Create hunting rule
Score:
  10/10
Tags:
family:snakekeylogger collection keylogger persistence spyware stealer
Link:
https://tria.ge/reports/220222-va45wacdak/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Snake Keylogger
Snake Keylogger Payload
Malware Config
C2 Extraction:
https://api.telegram.org/bot5209311951:AAE43127sIXfPIuvnjTJ5kLyfax26OfOdRQ/sendMessage?chat_id=1714068611
Unpacked files
SH256 hash:
1021d656e0ea57d2622cef7771647372693c0d0126a574365c2e705aafa5389f
MD5 hash:
36076340214ae8666590593943b7d8eb
SHA1 hash:
24bfcf7d7f49849272f78df21c7135e840a663ba
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
797cfc515075e8d5977a0690dc50fa2d9b7f82163d673111bdfe85f0c8c31c06
MD5 hash:
96fd19cf7f94278634eac684280905d9
SHA1 hash:
532f5f2b2041df1d69ed304c517e4de19949f5dd
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
e3bdaf9e98eb65a070cf4424bc123e57ade151c41e4a0d375e769749155c1715
MD5 hash:
78a25e75b94923e889ecd100349facbe
SHA1 hash:
6b3f8db525d3c98f92ed480e664ab8ee9458340b
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
8cc1e994b6b1cff7025eb42b9e3ea5b589679975cb896a32cae051ea96ef9ca2
MD5 hash:
129c8e40ea0c316efb1def626c871a92
SHA1 hash:
a6419e2f3a051122f588a187b895e923601fda1b
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
0e0b460e81fbac40c40e4d44763d4836dc30ccb034ac187be9e72c0fbf2c03de
MD5 hash:
f3a38d1cce5103f70475f50ecb526168
SHA1 hash:
ae64dab9177200911b62e131a004c60d5b1e7372
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2
MD5 hash:
c0ef4d6237d106bf51c8884d57953f92
SHA1 hash:
f1da7ecbbee32878c19e53c7528c8a7a775418eb
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
SH256 hash:
cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a
MD5 hash:
01b72ba5282097c70c9ae5db844e0ed3
SHA1 hash:
b8748cdb8ef7109a2052906d9f354dda9ff1203c
Link:
https://www.unpac.me/results/b13bb9a1-94e9-4766-b8b7-ceb52cb763df/
Malware family:
Phoenix
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cd4483ee1a23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DarkComet

Executable exe cd4483ee1a2303cb7e2789f354944f063ae2d5b9f8fb9f3d6d136b53c2388b6a

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2053615/
Cape
Cape
https://www.capesandbox.com/analysis/243310/

Comments


Avatar
zbet commented on 2022-02-22 16:47:55 UTC

url : hxxp://peak-tv.tk/templezx.exe