MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash: ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d
SHA3-384 hash: ad35e282c99bfe393914ee50f2e1f8e1211c0d9290aa0be51b3387d0550bc0340d3c0833dbaacaa412d3d48c0d3de933
SHA1 hash: b1b90c2489ea7f48dde113002b50810df218d9b3
MD5 hash: b36d39a8c8bafd6ed0e86d72c5617662
humanhash: helium-five-vegan-yellow
File name:SecuriteInfo.com.Trojan.Packed2.48815.12882.16410
Download: download sample
File size:85'504 bytes
First seen:2025-02-21 15:05:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 62 x CobaltStrike, 44 x JanelaRAT)
ssdeep 1536:CsmY2JIpAn22ZCHlmgF7ODo8vJNfmyMmNGyFol4g8qSajZOK:q6An22ZCH4+uo8vjfmgkya4g8qSajZ7
TLSH T11983F64337C88311D58C46FAC0E3552087F3B98BBAB3E6863E4546D61E527E8EEC9785
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
456
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.1%
Tags:
virus agent msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
net_reactor obfuscated obfuscated obfuscated packed
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
64 / 100
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Multi AV Scanner detection for submitted file
Sigma detected: Bypass UAC via Fodhelper.exe
UAC bypass detected (Fodhelper)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1621124 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 21/02/2025 Architecture: WINDOWS Score: 64 58 twc.trafficmanager.net 2->58 60 time.windows.com 2->60 62 4 other IPs or domains 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 .NET source code contains method to dynamically call methods (often used by packers) 2->66 68 Sigma detected: Bypass UAC via Fodhelper.exe 2->68 11 loaddll64.exe 1 2->11         started        signatures3 process4 process5 13 rundll32.exe 2 3 11->13         started        16 cmd.exe 1 11->16         started        18 rundll32.exe 3 11->18         started        20 3 other processes 11->20 signatures6 70 UAC bypass detected (Fodhelper) 13->70 22 cmd.exe 1 13->22         started        24 rundll32.exe 3 16->24         started        26 cmd.exe 18->26         started        28 cmd.exe 20->28         started        30 cmd.exe 20->30         started        process7 process8 32 fodhelper.exe 12 22->32         started        34 conhost.exe 22->34         started        36 cmd.exe 24->36         started        38 conhost.exe 26->38         started        40 fodhelper.exe 26->40         started        42 conhost.exe 28->42         started        44 fodhelper.exe 28->44         started        46 conhost.exe 30->46         started        48 fodhelper.exe 30->48         started        process9 50 svchost.exe 32->50 injected 52 conhost.exe 36->52         started        54 fodhelper.exe 36->54         started        process10 56 SystemSettingsAdminFlows.exe 50->56         started       
Threat name:
Win32.Exploit.Generic
Status:
Malicious
First seen:
2025-02-18 19:38:30 UTC
File Type:
PE+ (.Net Dll)
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Unpacked files
SH256 hash:
ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d
MD5 hash:
b36d39a8c8bafd6ed0e86d72c5617662
SHA1 hash:
b1b90c2489ea7f48dde113002b50810df218d9b3
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:extracted_at_0x44b
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ce8a42330051c8f04ec6b0b31d940d48f5645b7bdbdf56097a0803fff8283e9d

(this sample)

  
Delivery method
Distributed via web download

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments