MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4
SHA3-384 hash: 914b18e7402d2be4322c4479a5df0112fd6f668d6dc8f297f40eba6dfc00364576deab5fd1d9c30b9b9de3f9579383e2
SHA1 hash: add953c67e66b92e80613cfc46c75c661e57b16b
MD5 hash: 3f38e502a9f2007849879b5c10131754
humanhash: video-oranges-mobile-gee
File name:3f38e502a9f2007849879b5c10131754
Download: download sample
File size:437'824 bytes
First seen:2022-08-18 07:44:19 UTC
Last seen:2022-08-18 08:32:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:+tumBUDsPTo2wAhjihfuys0JkgSHutyKWsbu18IDO4WlFOF1i/:+rBUDs7o2wQjmfup0J1SHutfbm9K4Wb/
Threatray 1'781 similar samples on MalwareBazaar
TLSH T1B894BF483AD0A54EC846A432C09E0D2407A36F126763EF477B1F36FE8A3D2A7DF05596
TrID 52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 71f8e4e0b0e0e871 (4 x AgentTesla, 3 x Formbook, 1 x Loki)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f38e502a9f2007849879b5c10131754
Verdict:
Suspicious activity
Analysis date:
2022-08-18 07:44:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36a837ae-d4b9-49be-bc1a-25b046357638

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/299530/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.345.28798.28616.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated overlay packed
Link:
https://www.filescan.io/uploads/62fdee06a6276e777d2a01e9/reports/8f485be1-7170-4dca-bba5-3f356ebeb3da/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/53e160de-c177-4c52-955d-a27b54b7ec52
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1053651
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4/
Threat name:
ByteCode-MSIL.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-08-17 09:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ednzbaghgkmvkgz4xfivfogefl4xzekfoahnibnsclfrls6gxsa._file
Verdict:
malicious
Similar samples:
15423b4b842ca05303dfec7d55fbd64d467bf3ce0e3f0c732f86e2b6c9d81745
1d322ad6c295b0ee8a552e96ac231c4d9259141c9ed22f7319c7f169eaecee71
1eda4a3f73cd27fca8f8eb8c6be6dded3db13f7ec736a98282fc1dc444577de2
3b1dc7e0c9154fe384c695f8eec5622ab2ba88bf59d990def6b2c11d8519cecf
58149a24884e425f40c7f2dfd541e5380573e4dccf270564b4ae71df235bbc87
72146e890efa1de6ee90e445ceb11ad9dc3b053fa5e82757756a393ee4617a77
a2eedaf98eddfe127f05ad7d8ee31b718f2053d77e719346b998e7e22b1cfa0f
d07e7f7f409d82270a54d63f0ee9e38442665d91a5dc193bcadfe45452d8cf46
+ 1'771 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220818-jldlhsede8/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
31d637f0a2f66baacab455da77c1e7a18ee2eb438e8ae22c90bdb5a7165f862b
MD5 hash:
9a43fbb66065b45851b5500ac16bc4b6
SHA1 hash:
2da9d2ab310e5ad8e1493882c69c64818c333321
Link:
https://www.unpac.me/results/538a0bf9-36b2-4350-a2e9-2006497109af/
SH256 hash:
d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4
MD5 hash:
3f38e502a9f2007849879b5c10131754
SHA1 hash:
add953c67e66b92e80613cfc46c75c661e57b16b
Link:
https://www.unpac.me/results/538a0bf9-36b2-4350-a2e9-2006497109af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:INDICATOR_KB_CERT_1f3216f428f850be2c66caa056f6d821
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d106dc84063994caa8d9e5ca8a95c62157cbe48a2b8076a02d909658ae5e35e4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/299530/
  
URLhaus
https://urlhaus.abuse.ch/url/2274192/

Comments


Avatar
zbet commented on 2022-08-18 07:44:21 UTC

url : hxxp://103.207.39.251/document/vbc.exe