MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
SHA3-384 hash: c9e2a5c34191fef4334d8188070e6f04b0589faed028eeb7f19aa5b041efcf57a2ea37f1e8be56579d9ead58d3d78566
SHA1 hash: b7fa21295db0657d1767c05bb440b218cecdf521
MD5 hash: 556084cf64aec63e0babdf10a61afaa6
humanhash: autumn-magnesium-tennis-speaker
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.17516.1351.10810
Download: download sample
File size:674'304 bytes
First seen:2022-12-12 16:37:52 UTC
Last seen:2023-01-01 05:13:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'075 x AgentTesla, 20'033 x Formbook, 12'353 x SnakeKeylogger)
ssdeep 12288:LC/74rdbHgVBnqvFprkrUolVATWZXYm7ljg9hG80NEKXo1Y1UHC+O:LC/UGTWrkrUovUKfhkQNEwUnO
Threatray 95 similar samples on MalwareBazaar
TLSH T19EE4E00B41D569BEEC7A467F1B77AFF997AC7902A90DCA011751163A102C1CEBD02F72
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 8213013131341131 (10 x AsyncRAT, 4 x zgRAT, 1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.IL.Trojan.MSILZilla.17516.1351.10810
Verdict:
Suspicious activity
Analysis date:
2022-12-12 16:39:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/939d2897-4d50-47e6-a855-614288247f31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345525/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.17516.1351.10810.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Running batch commands
Searching for the window
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639758ed0c6473d1671aa68f/reports/62404cc2-26b9-4004-b074-015347e4a7fe/overview
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/879e15c7-628b-4c70-a7db-08a4131f37c3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1132843
Signature
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab/
Threat name:
ByteCode-MSIL.Hacktool.ResInject
Create hunting rule
Status:
Malicious
First seen:
2022-12-10 23:59:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 26 (88.46%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2alpzpnzrdkw35gcnv22cluhuyibb3jdm22s535ywqe2dwf4xkvq._file
Verdict:
malicious
Similar samples:
3aa4891da8c0e803d25b3d88b46613ba021e3f5b1b2ebfcb07fbe227fb8a5c85
73fd7801d6077bcc2e19e05cb925ea6d4c6a1b6840385b86b866381f3536aea2
781de34d3e2706aa0b05bdb69604b9532cbdd7297f38e9f2e18a06434a958e4b
985eb402fa66d0ab3594346f7fc61acc0cf0ee8449a5e66d387b9edfaed7e0d9
c2c82ee2700333d677bee2937f99b1e5657f339e23c27b5b7d2a397b672fffd9
c6627d01e8be8812d51a58c017085132c24c6231de542242770a76d101547c8f
c6dda31fa6cb4ce140f62c9ce604672fa4a9ba5d1792f2d77f3cfcb43b3227ac
d17133253e57854119a62729965ace0d1e4201561b6f313d5e72a14186e445e6
+ 85 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/221212-t5c47sbh24/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
UPX packed file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/34ebf62f-6f78-4563-8ba2-900f1f6480da
Unpacked files
SH256 hash:
1713d44ecd52a0605feb9e5a75d60aace1cb3ea5a4669f9e2b45876bb5747d4d
MD5 hash:
4e1cf01f4fb387c105d5cd6a7e1fa52e
SHA1 hash:
f707ed671212f3c0ed68fa53d9b1717e4ea4bf34
Link:
https://www.unpac.me/results/b4c96b87-8e45-494f-9d46-c28cb123f084/
SH256 hash:
d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab
MD5 hash:
556084cf64aec63e0babdf10a61afaa6
SHA1 hash:
b7fa21295db0657d1767c05bb440b218cecdf521
Link:
https://www.unpac.me/results/b4c96b87-8e45-494f-9d46-c28cb123f084/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d016fcbdb988/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d016fcbdb988d56df4c26d75a12e87a61010ed2366b52eefb8b409a1d8bcbaab

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2454877/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/345525/

Comments