MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76
SHA3-384 hash: 6f03f85d76b964ab0de77219d8be22328254537a21a92f9fd6d721ea06fb0c21b28e3cfd34b26ce7e92447d3f5c24679
SHA1 hash: 9e0864c50e427ba5315f80f16436e167cd22d58f
MD5 hash: 794891508938738671f8ec7e5f1e079f
humanhash: december-jersey-eighteen-timing
File name:794891508938738671f8ec7e5f1e079f
Download: download sample
File size:13'824 bytes
First seen:2021-11-22 19:31:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 192:CqHFxpFgZ7fbwncWL99KIty8io/mvalUexbbbbbbbbbbbbbbbbbbbbbbbbbbbbb+:RHFxpFI7fbwcWZ9KIty/v7VWh5xNWM
Threatray 27 similar samples on MalwareBazaar
TLSH T10952D7626FF493F7E6E60F7629B267308A35E7068835857C7488553A1E3139387A3B31
File icon (PE):PE icon
dhash icon 1032d232e98c3689 (16 x AgentTesla, 8 x AveMariaRAT, 7 x Formbook)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Pago de Recibo.xls
Verdict:
Malicious activity
Analysis date:
2021-11-22 18:58:06 UTC
Tags:
macros macros-on-open loader
Link:
https://app.any.run/tasks/76858233-0616-4780-8e0f-59d624b782cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
obfuscated wacatac
Link:
https://www.filescan.io/uploads/619bf03794a88037d2fef60c/reports/26e029d7-aed5-4849-8a78-1c27aac9f482/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87621061-3a20-4658-8ff3-a58efc447993
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894156
Signature
Creates an undocumented autostart registry key
Deletes itself after installation
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Encoded PowerShell Command Line
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526634 Sample: IGG2RkgBzU Startdate: 22/11/2021 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Costura Assembly Loader 2->56 58 Sigma detected: Suspicious Encoded PowerShell Command Line 2->58 9 IGG2RkgBzU.exe 14 10 2->9         started        process3 dnsIp4 48 js-hurling.com 192.185.113.96, 49784, 80 UNIFIEDLAYER-AS-1US United States 9->48 50 www.js-hurling.com 9->50 40 C:\Users\user\AppData\...\IGG2RkgBzU.exe, PE32+ 9->40 dropped 42 C:\Users\...\IGG2RkgBzU.exe:Zone.Identifier, ASCII 9->42 dropped 44 C:\Users\user\AppData\...\IGG2RkgBzU.exe.log, ASCII 9->44 dropped 46 C:\Users\user\AppData\Roaming\...\hssrc.exe, PE32+ 9->46 dropped 60 Creates an undocumented autostart registry key 9->60 62 Encrypted powershell cmdline option found 9->62 64 Writes to foreign memory regions 9->64 66 2 other signatures 9->66 14 IGG2RkgBzU.exe 9->14         started        18 powershell.exe 9->18         started        20 powershell.exe 16 9->20         started        22 9 other processes 9->22 file5 signatures6 process7 dnsIp8 52 45.133.1.84, 49814, 7098 DEDIPATH-LLCUS Netherlands 14->52 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->68 70 Tries to steal Mail credentials (via file / registry access) 14->70 72 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->72 76 2 other signatures 14->76 74 Deletes itself after installation 18->74 24 conhost.exe 18->24         started        26 conhost.exe 20->26         started        28 conhost.exe 22->28         started        30 conhost.exe 22->30         started        32 conhost.exe 22->32         started        34 4 other processes 22->34 signatures9 process10 process11 36 conhost.exe 26->36         started        process12 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76/
Threat name:
ByteCode-MSIL.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 19:12:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
19833e0887e0a19bb45a6acc390322e9aa09b9783620bcf479cda77a3b8c2533
2d8c517e8ada7ab3c73c6bd6b67b2a8528d83e31eb1b4e9ddd2ec27c2b308c94
35235fda554c446f3081ddbbaf1f18be2300a3830c1943cb93e53becb83d84e9
39e191e72e7e30193ef6d907de2084ea55048d92650af1d89917c30f664938bd
457366af26a4da0fb951fda087c68b15cc63f0034a588803b4ec6458edb601bf
57de84ac2faa2a05fc3e52fb79ae165e2825308fec4d86e30cc2c0c9984b089a
b06b803c1a654849e7b0310b0b590ca574568ab9eba41858e8caaff5dbbeacba
d4c39820192ae288fde7d999da4656ed93c402f1b7479f0a6e5aa9f903a41876
e9f97fc9aaebe8ed5c4fe044f9480c2504b50f94325f1b141ed28e6c381d17bc
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/211122-x8zddsbge2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76
MD5 hash:
794891508938738671f8ec7e5f1e079f
SHA1 hash:
9e0864c50e427ba5315f80f16436e167cd22d58f
Link:
https://www.unpac.me/results/6a5d56f7-2265-4a66-b40c-c7f9f026050c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e4031cb9e271/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e4031cb9e2710dec85d2167a32ee08861a98258458bc3ac1464e6b450e14aa76

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1806542/
Cape
Cape
https://www.capesandbox.com/analysis/208339/

Comments


Avatar
zbet commented on 2021-11-22 19:31:19 UTC

url : hxxp://www.js-hurling.com/cillyhill/cetyrsfomityhgnjm.exe