MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c
SHA3-384 hash: c54538e6dd5ae695f6eefe1dc33aac676260fab8871a604559a24c6779c4806c7178f14d1b2a07056922d1d522529995
SHA1 hash: 6fee53382d6c078ba08ade5a03bf3465715a31eb
MD5 hash: adaae7414fc8b8a2c26eb1c4f4c55fa0
humanhash: north-golf-romeo-seventeen
File name:cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c
Download: download sample
File size:674'304 bytes
First seen:2021-02-28 07:08:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:FmdLV9hr+4QIVX78HGuNEAHJJ/WyPFxk0BzCk+9qnl/8n4pWkrKtT5zwryY:G9hr+dKX78muNEueWDk0RC9su4/rKtT8
Threatray 796 similar samples on MalwareBazaar
TLSH FCE4231ADB526D13C2300EFE8DAB81802779EA149BF1DA76478CBB7261717F4CD6B024
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c
Verdict:
No threats detected
Analysis date:
2021-02-28 07:46:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/caeb8d18-db54-4e9e-a058-f4a029e64daf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119792/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing a file
Reading critical registry keys
Creating a file
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620729
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 14:38:13 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1041153379c269bf53b5a08bb85d576d4f5bf9a0b711f42686dbfbff035ee995
17431eab4f753e88127e1bf94a796cb4f001ae3c0300ed8b98522713e7ac8e8e
19a8e4f9fb01ff4333c81f78bba61e42d516c860e8974e059be82f2bf9d5a641
1ba1a86e6f5e0e1e2f1a596018465345a90822163264c05647e8155edb88ce64
500ca56a7de01fbde3cdd1fcb392eb2a77b2706665a7a2e08e00ce8b405c27d5
7b8737c1334e0ed07632ae06bf455a47ca63ed00b8dc3633d09b028c91868405
82df2d9ba67f275874caca138baea0b54e90ffd727d561072243a9d9026569ae
897a1305d267937baedeaf75e35e386efbb9c5d7d66819aaecfd885e84196142
a6184cc11ae5e53a2c52fc668690561b0ed9b7217e0ff7c0b236bce30fba1da3
eac957f655d15206f8875a31eb0b225040ee39015ff01189901f78230e39c33f
+ 786 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/210228-4xq1kvx8yj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
3686add615c5a3a3dfed005644f13a23b2f394167cc57daad526e8b8f29b922e
MD5 hash:
d51ad3f0c76fbdeda90cda1c562b8d31
SHA1 hash:
8dc7a67d01fde2f1b029c689887f003f7d1f0645
Link:
https://www.unpac.me/results/f87190e4-1b95-4b99-9374-9296abed8803/
SH256 hash:
ed45341361592b4d72c24a9071b5f483deb574292f6f14d822f5afae05441b1a
MD5 hash:
e66ca907a49ce75adb6152a11dee1adf
SHA1 hash:
0bf658e904ffe526076a18d0bed669dcb793230c
Link:
https://www.unpac.me/results/f87190e4-1b95-4b99-9374-9296abed8803/
SH256 hash:
736bed79f8779fd0fded1ef9bc7b7d377a207642bfef58485505d957bef94bab
MD5 hash:
52f76ffc89a347bd77ad31f151b684a7
SHA1 hash:
021647972707ec32551f2f79b1d09f84010aa675
Link:
https://www.unpac.me/results/f87190e4-1b95-4b99-9374-9296abed8803/
SH256 hash:
cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c
MD5 hash:
adaae7414fc8b8a2c26eb1c4f4c55fa0
SHA1 hash:
6fee53382d6c078ba08ade5a03bf3465715a31eb
Link:
https://www.unpac.me/results/f87190e4-1b95-4b99-9374-9296abed8803/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd606b6517def70373af2bc7f92157ea0023a1178b4244a4cde44d122e52e52c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119792/

Comments