MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e
SHA3-384 hash: 7650b7af62ddf5ba339e862ef89c170cb7329474a418aa53eaf96d7a27946c1c180600cfefd125ef8f475f4eb90c2d71
SHA1 hash: a907f2591db17385fcd4ed7c288a181b6295388b
MD5 hash: 25f96c94111ab7aee15248590435ccfa
humanhash: solar-grey-bulldog-carolina
File name:25f96c94111ab7aee15248590435ccfa
Download: download sample
File size:177'152 bytes
First seen:2021-11-02 11:01:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:bDRIoFtuokWjsTI+tpEHuGNly1diTraxKen6M0JoP6lO4TBKCNvbdoq826:blZTuoDjyI+tpPGNludmrawQ6MMW6lJi
Threatray 1'102 similar samples on MalwareBazaar
TLSH T1B804E1027698E955C22A97368CEB4410077E6C067823DF2F7DDC238D65527EA8B12AFD
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
44dd72dec4030403c065bc54a618eab0.zip
Verdict:
Malicious activity
Analysis date:
2021-11-01 07:13:14 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader
Link:
https://app.any.run/tasks/af224a14-6b24-4fd6-a526-1681b3b8cf13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/201402/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47300229.15364.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61811a71bf51178dbe487fb0/reports/634370f1-c54b-4994-8fca-746bc00fc6e8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2045a310-0f38-4d2e-a12c-6e9bb0e720a5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/881208
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 513638 Sample: aJ7y2bkWuS Startdate: 02/11/2021 Architecture: WINDOWS Score: 72 19 Multi AV Scanner detection for domain / URL 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected AntiVM3 2->23 25 2 other signatures 2->25 6 aJ7y2bkWuS.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\aJ7y2bkWuS.exe.log, ASCII 6->17 dropped 9 aJ7y2bkWuS.exe 6->9         started        11 aJ7y2bkWuS.exe 6->11         started        13 aJ7y2bkWuS.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 13:00:13 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
19445d7251f9c133c6bf786d987a6e333f6fcb0832f974a273ab73202a2e40c9
28c85ce815a5ec78b83e7242c61a532b20a35d98dd477444f31cf6bfa1f3b581
3f19c818bd432a2e6878d981e658cbd682cdc42ae9f8ac641bda8f9efc4fd5c6
5889040fb45429e22c5c19d772792ed50fc068397e181162fe5dd81fc1aedda9
6b331776ecc8fc4a7cf726ac1bc9f21b3f284e0f070e490667b8cc1e173298bd
ae44ac39386b17ff52d301bf4948ea92a0b4342b21b04dd971acb443aee99c2b
cd80f67f830bca1b4b43a421ed5075f8272b8955b45266986c3e284ed4239515
dd80b5beee0a95da5e71f14d82defe89c60ce015c6221d4d534beb03088cff11
e9e19af78e65509f8ef39f382e6a0cb89e15e054177da6d29dfed617e5ab75e5
+ 1'092 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211102-m4j3sscdc4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785
MD5 hash:
171a2669225911b41301096cd9dcf19f
SHA1 hash:
dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5
Link:
https://www.unpac.me/results/3ed9b84e-1d5b-4542-b909-005109c94e11/
SH256 hash:
9aed059e2b0b101971bb2773c870dc6ef61cf354d2d42f05594aab768b3c7389
MD5 hash:
706ba27eca3af82417e474dcff911e4b
SHA1 hash:
7559191bae4f9c057ecc78d2b13bc29c147cd9c0
Link:
https://www.unpac.me/results/3ed9b84e-1d5b-4542-b909-005109c94e11/
SH256 hash:
d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e
MD5 hash:
25f96c94111ab7aee15248590435ccfa
SHA1 hash:
a907f2591db17385fcd4ed7c288a181b6295388b
Link:
https://www.unpac.me/results/3ed9b84e-1d5b-4542-b909-005109c94e11/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d54e53b912c24b244ce8408743336521720fa613e769e8b5f81b5f795ce95f0e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1738880/
Cape
Cape
https://www.capesandbox.com/analysis/201402/

Comments


Avatar
zbet commented on 2021-11-02 11:01:06 UTC

url : hxxp://103.167.90.85/0111/vbc.exe