MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf
SHA3-384 hash: 995f52ad077e05eb705b937d7b56af42bd0ca652a6134f3cf516c760ff47c6042c759f62e2af46054caba50d9e5de570
SHA1 hash: 5e1dfef47a129c1ee490fe0c06615ae54ad4e7e6
MD5 hash: 437abb359165e8698ef19bbaf6175011
humanhash: triple-pizza-table-uniform
File name:SecuriteInfo.com.FileRepMalware.14694.23524
Download: download sample
File size:4'040'704 bytes
First seen:2024-10-14 18:39:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 98304:um8HzjTVjGUDDDuAJ5VlwgyZKTDJFa6h:um8Hz3cyDuAJ/qgdDPa
TLSH T18216C06A37D5D9E7CB62EB70C014B2D052E834F0AE59D29E891190DF212FF987934F68
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.FileRepMalware.14694.23524
Verdict:
Malicious activity
Analysis date:
2024-10-14 18:44:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23fabe03-04fe-4f71-b8bb-81dbebdc0666

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.14694.23524.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=670d65851d4ef219fa62a685
Tags:
Powershell Autorun
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed stealer vbnet
Link:
https://www.filescan.io/uploads/670d658450547d8c996bd993/reports/fa44f586-061f-4f84-81f3-5aac7d9514cd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/37df83bf-db77-4686-827a-17da117901e6
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.phis.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1533535
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disables zone checking for all users
Drops PE files to the startup folder
Found Tor onion address
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1533535 Sample: SecuriteInfo.com.FileRepMal... Startdate: 14/10/2024 Architecture: WINDOWS Score: 100 38 tse1.mm.bing.net 2->38 40 snippet.host 2->40 42 ax-0001.ax-msedge.net 2->42 48 Antivirus detection for dropped file 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 7 other signatures 2->54 8 SecuriteInfo.com.FileRepMalware.14694.23524.exe 20 61 2->8         started        13 Windows.exe 3 2->13         started        15 Windows.exe 2 2->15         started        17 5 other processes 2->17 signatures3 process4 dnsIp5 44 snippet.host 103.167.234.130, 443, 49735, 49742 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 8->44 30 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Roaming\...\dllhost.exe, PE32 8->32 dropped 34 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 8->34 dropped 36 3 other malicious files 8->36 dropped 58 Creates an undocumented autostart registry key 8->58 60 Found Tor onion address 8->60 62 Disables zone checking for all users 8->62 66 4 other signatures 8->66 19 cmd.exe 1 8->19         started        22 notepad.exe 8->22         started        24 notepad.exe 5 8->24         started        46 127.0.0.1 unknown unknown 13->46 64 Multi AV Scanner detection for dropped file 13->64 file6 signatures7 process8 signatures9 56 Uses schtasks.exe or at.exe to add and modify task schedules 19->56 26 conhost.exe 19->26         started        28 schtasks.exe 1 19->28         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf/
Threat name:
ByteCode-MSIL.Trojan.Fsysna
Create hunting rule
Status:
Malicious
First seen:
2024-05-22 20:43:27 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4przyqc7za4jet4b4ylww6tg7agdrr7igqmcpsgzs5h37sua3thq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/241014-xa7bcazfka/
Behaviour
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Event Triggered Execution: Image File Execution Options Injection
Renames multiple (70) files with added filename extension
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e986d387-92b8-475c-ac0b-fb3853408a30
Unpacked files
SH256 hash:
f6a4be2a762ffd5a1f8d47c0deb34c3015d479bd409d01cc96f1d2d0be55caa2
MD5 hash:
100f3487b7d64026df5b68138535b734
SHA1 hash:
a7974031c9c6e46897ddf017824949320e251d82
Link:
https://www.unpac.me/results/2dcbbcf6-8e65-449b-929c-0bdbc0357d6c/
SH256 hash:
333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c
MD5 hash:
f0b3e112ce4807a28e2b5d66a840ed7f
SHA1 hash:
54a6743781fd4ceb720331fce92f16186931192d
Link:
https://www.unpac.me/results/2dcbbcf6-8e65-449b-929c-0bdbc0357d6c/
SH256 hash:
0aff1e6e31081c1767f64d29a8276e39b28b0082be9bfd26f74f146ac681553d
MD5 hash:
59ba07132cf01a0ec0c3f16f32241e3c
SHA1 hash:
111227cc9d1b741ee3e596d8b471ebd7350d4929
Link:
https://www.unpac.me/results/2dcbbcf6-8e65-449b-929c-0bdbc0357d6c/
SH256 hash:
e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf
MD5 hash:
437abb359165e8698ef19bbaf6175011
SHA1 hash:
5e1dfef47a129c1ee490fe0c06615ae54ad4e7e6
Link:
https://www.unpac.me/results/2dcbbcf6-8e65-449b-929c-0bdbc0357d6c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3e39c405fc8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e3e39c405fc838924f81e6176b7a66f80c38c7e8341827c8d9974fbfca80dccf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3234767/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments