MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a
SHA3-384 hash: 2ccc669480d2ee27ab6edbddcd74a40085e2350fc98bb7d152ac7648298a3101949a1f4cc4b6f68add5a08c3b62bb5a7
SHA1 hash: d4c7c66769d9b5be18f68777590d9369dd9a057f
MD5 hash: 13f4b7e1f2c04b807975514036ca9c09
humanhash: neptune-helium-beer-salami
File name:13f4b7e1f2c04b807975514036ca9c09.exe
Download: download sample
File size:563'712 bytes
First seen:2020-12-08 07:41:03 UTC
Last seen:2020-12-08 09:31:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'651 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:lt/iejeKH7eC4bBcnBcu1yLXRDnVzMv9BX5KA:lt0K4bGniZZMvHp
TLSH E9C4AD353E606EA3D1BECBF254247250CFB1A62B656DE2CC6CC611DE46F5F104A89E23
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://brice.ac.ug/ds2.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-08 04:27:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b51e90df-40f0-4740-9773-d368c9a5b169

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107179/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6124.9811.7621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/557669
Signature
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 327932 Sample: BXR3qWEnLb.exe Startdate: 08/12/2020 Architecture: WINDOWS Score: 68 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected AntiVM_3 2->42 44 Machine Learning detection for sample 2->44 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->46 8 BXR3qWEnLb.exe 3 2->8         started        process3 file4 38 C:\Users\user\AppData\...\BXR3qWEnLb.exe.log, ASCII 8->38 dropped 48 Injects a PE file into a foreign processes 8->48 12 BXR3qWEnLb.exe 1 1 8->12         started        14 backgroundTaskHost.exe 8->14         started        signatures5 process6 process7 16 powershell.exe 21 12->16         started        18 powershell.exe 8 12->18         started        20 powershell.exe 8 12->20         started        22 10 other processes 12->22 process8 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 conhost.exe 22->34         started        36 7 other processes 22->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 17:33:27 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201208-g2xhlt5adn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Windows security modification
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a
MD5 hash:
13f4b7e1f2c04b807975514036ca9c09
SHA1 hash:
d4c7c66769d9b5be18f68777590d9369dd9a057f
Link:
https://www.unpac.me/results/70bf8a8c-5a14-41e4-ab4b-f0507d6a3e21/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/70bf8a8c-5a14-41e4-ab4b-f0507d6a3e21/
SH256 hash:
ba0f6174f3073043ae502d4bfc53cf1d4191bb8c55eeb8836737c18cbd69e479
MD5 hash:
a248e00f01de0f68beda1c19bc1f963c
SHA1 hash:
43beb8678dc555bb1b1d8cd165bf3cdf332f71f3
Link:
https://www.unpac.me/results/70bf8a8c-5a14-41e4-ab4b-f0507d6a3e21/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/70bf8a8c-5a14-41e4-ab4b-f0507d6a3e21/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe dcad9f659dc4eba1e24a19a68661e64aee4c4ba1e9465fab91535c3db50dfe5a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/686521/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/878741/
  
URLhaus
https://urlhaus.abuse.ch/url/439791/
  
URLhaus
https://urlhaus.abuse.ch/url/447390/
Cape
Cape
https://www.capesandbox.com/analysis/107179/

Comments