MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152
SHA3-384 hash: 7bac71c12d9d5ee57ba9dc1e92236f6420ac3856a2d96b4a6b0fcddff672533c3bd69ab3de1d530ca82b7dea846731fa
SHA1 hash: 88bcd8e12bc6c7d9fee6948ae1923b4d8a9c0e62
MD5 hash: ce56f130c12f75c8b26151d1c3a6de37
humanhash: salami-tango-lithium-mississippi
File name:ce56f130c12f75c8b26151d1c3a6de37.exe
Download: download sample
File size:294'400 bytes
First seen:2020-10-14 14:49:10 UTC
Last seen:2020-10-25 20:55:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:NdJ8TzKStzgzwp/15hvdNeOu7x36zcuDYlclza/nEO+Z95G2NiwwGU3lbo8CM:98TWEEkV1TSKzlicBa/EO45G2NiwrxU
Threatray 495 similar samples on MalwareBazaar
TLSH 60544BD93B51798FDA2E8C72C9141E30A621B666630FF3973463B1EB6E4E7568E010F1
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70818/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the Windows subdirectories
Creating a file
Creating a window
Launching a process
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/491119
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298036 Sample: ucBbre8Te4.exe Startdate: 14/10/2020 Architecture: WINDOWS Score: 96 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Machine Learning detection for sample 2->68 70 2 other signatures 2->70 8 cmd.exe 1 2->8         started        10 ucBbre8Te4.exe 1 2->10         started        14 taskkill.exe 1 2->14         started        process3 file4 16 bj3wqujm.exe 2 8->16         started        19 conhost.exe 8->19         started        54 C:\Users\user\AppData\...\ucBbre8Te4.exe.log, ASCII 10->54 dropped 72 Injects a PE file into a foreign processes 10->72 21 ucBbre8Te4.exe 4 10->21         started        24 ucBbre8Te4.exe 10->24         started        26 conhost.exe 14->26         started        signatures5 process6 file7 56 Antivirus detection for dropped file 16->56 58 Multi AV Scanner detection for dropped file 16->58 60 Detected unpacking (overwrites its own PE header) 16->60 62 Disables Windows Defender (via service or powershell) 16->62 28 powershell.exe 20 16->28         started        30 powershell.exe 16->30         started        32 powershell.exe 16->32         started        36 8 other processes 16->36 52 C:\Windows\Temp\bj3wqujm.exe, PE32 21->52 dropped 34 cmstp.exe 9 7 21->34         started        signatures8 process9 process10 38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        50 4 other processes 36->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152/
Threat name:
ByteCode-MSIL.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 14:51:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Verdict:
suspicious
Similar samples:
17c7aa7df0ffa47ac142bcf82edb465eedabcc7a307e8726eb12c92698302e16
268ea227f9a30b6221814ba9efe354f2ab07607b6273c8b51fb33d19aa332295
4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5
4a2e8f13ad2ce022158574edb3ab566db4544ec1dcda648845b16bc754f4e321
7372e91ca331f6ae841f5251de3ee8d34084f96cd089c8d56b8a600767d76a16
7d16317ca81889aab8d6d82440ab0fb2375d4ef7747f2b1d77936fd79141ba77
7eb93c8845e8c4107c6998a9f87383cc33c8529e612384adb040249f0aef235c
8dbb450904a856d84c818235a7cf866809e5456fc1e3b535ba44cb91f85ebfd8
98cfc2f76ee8cefd9aa0b9be4c317800223f93ffb6e63577e8a9466693585515
c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3
+ 485 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201014-c3ft3a9bys/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
3a9c958806872045c65936980c8b9b6a1390bec4065fa2b19f312f021e4d964b
MD5 hash:
a120b396e4b3b03ca74d55230e7cdd18
SHA1 hash:
152682a454ced499b33a4be0db28a63c22ba5d0f
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
SH256 hash:
087d0c0315da38a9c29aab66a628d05b169013d8135de9652e6a83bee15e8d8d
MD5 hash:
215d10c58de49c8d224e9a77d42961db
SHA1 hash:
2bb0effd16fb00c44aa78ba949a0e0d9a1cb4f94
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
SH256 hash:
f7d9066a5a7e131be46e8857403e93e9bc24a64531cd9c6f9372f7a149100865
MD5 hash:
ab4e71e387fed9ff8e5fe60ffab1d8f3
SHA1 hash:
5652006d42740ee8b59caa75ac37afffb156ba5c
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
SH256 hash:
d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152
MD5 hash:
ce56f130c12f75c8b26151d1c3a6de37
SHA1 hash:
88bcd8e12bc6c7d9fee6948ae1923b4d8a9c0e62
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
SH256 hash:
1774d1c6ef7bdaaf0413c16649a32f7f5f8915d7baf950178019829e5de62a44
MD5 hash:
77be59d7edee7fbd9180478ef792994f
SHA1 hash:
919fbe3e74fb3da5f8487b841a3a0f466b0c4d75
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/4e7f48cc-11ae-4aa0-b515-28b5a45206d3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d6d9a32fd696e4980d644f655563379ba7b04a2e3db03bbe6fbfb894fa68b152

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/686533/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/446500/
  
URLhaus
https://urlhaus.abuse.ch/url/439722/
  
URLhaus
https://urlhaus.abuse.ch/url/572763/
  
URLhaus
https://urlhaus.abuse.ch/url/572766/
Cape
Cape
https://www.capesandbox.com/analysis/70818/

Comments