MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6
SHA3-384 hash: dd81fc450baf75a2662b57a93d1c2750b978a2744a689cffef4bdac2887e7db86c14e373126b7d36382332732455c2e5
SHA1 hash: 4c69f4000c51b3c9a4abea9b44e745a43835d352
MD5 hash: 65917efef3ef909e5b4e27b132b4c6cb
humanhash: lima-triple-carbon-nineteen
File name:65917efef3ef909e5b4e27b132b4c6cb
Download: download sample
File size:16'896 bytes
First seen:2023-01-30 10:54:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 192:qpRp6Pkgsk1qqPymHFn50T0z1WclD6S7Qsa8VaZRmMLx:qZ6ldqs50QRWUD6SEsaCm
Threatray 4 similar samples on MalwareBazaar
TLSH T16A72C504B7A48A7AE89A4376DC6387CC037CBE4F1482DB6A6C9874D79D367D005F3626
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 69f8e0baaae4f069 (1 x njrat)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
proof of payment & invoice copy.docx
Verdict:
Malicious activity
Analysis date:
2023-01-30 08:22:14 UTC
Tags:
trojan exploit cve-2017-11882 opendir rat remcos
Link:
https://app.any.run/tasks/26273303-b50c-430a-8a51-eee183ecd749

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358243/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d7a20889bd67c10fdb838b/reports/c78823fd-75df-4b46-8946-fa8687328004/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dda7b52c-8f2e-4479-977a-a56f0c6eed51
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1161506
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-30 10:55:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
14 of 26 (53.85%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3f5bszgw25eo57mt3bfwxb6zfeviqx5lkuwgivdracvj42svedda._file
Verdict:
unknown
Similar samples:
731adf2e11160b6cf67dc393dfd47d89f9e80b74e8754050a53b6ca51323517d
d6c07400bf5901c1d43db1590474b77df52eefd02e9bb90b1c8a5d79ded4e194
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230130-mz476sab32/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6
MD5 hash:
65917efef3ef909e5b4e27b132b4c6cb
SHA1 hash:
4c69f4000c51b3c9a4abea9b44e745a43835d352
Link:
https://www.unpac.me/results/20471842-b537-4041-af91-6f114f8e2ad4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d97a1964d6d748eefd93d84b6b87d9292a885fab552c64547100aa9e6a5520c6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/358243/
  
URLhaus
https://urlhaus.abuse.ch/url/2522491/

Comments


Avatar
zbet commented on 2023-01-30 10:54:22 UTC

url : hxxp://212.193.30.4/235/vbc.exe