MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946
SHA3-384 hash: dc47d2d6ef7160a1b460dd5b78921c36ab6e13f3d6c1e5999a5bebc278309140214ec203096e670f9dfee8f6286f8659
SHA1 hash: e417ee6635379ce52d6b5a82aed0861ce72a4508
MD5 hash: b73e633bcc72b77dbe5c0948a54c01b7
humanhash: zebra-summer-massachusetts-purple
File name:b73e633bcc72b77dbe5c0948a54c01b7
Download: download sample
File size:425'472 bytes
First seen:2021-12-30 21:11:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:5b1u/evmlOwt6gG4yiI1HwYSrBXEBrfybUDBhp:5bN+OwUgrBOHwrBXEBrfKUDnp
Threatray 218 similar samples on MalwareBazaar
TLSH T1829423C1DB093A78C7F90A38633FB2CA01168A6582438E1CFD2C5956FFA158541BB9F5
File icon (PE):PE icon
dhash icon 5374a8d7b3f2a34a
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b73e633bcc72b77dbe5c0948a54c01b7
Verdict:
Suspicious activity
Analysis date:
2021-12-30 21:12:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d9a8cb7f-6ff8-4130-8656-10a8acf804c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216875/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38403445.14516.13944.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Launching a process
Unauthorized injection to a recently created process
Creating a process with a hidden window
Creating a file
Searching for the window
Creating a window
Forced system process termination
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ce20694ab5c44cbf57f4cc/reports/a0ced78e-3667-4451-a50f-4c25b0b9ddaa/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/6e857dfc-2bc3-4464-8277-05e3bb3b912a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/914153
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 546631 Sample: oMb1asG4w0 Startdate: 30/12/2021 Architecture: WINDOWS Score: 64 20 Antivirus / Scanner detection for submitted sample 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Machine Learning detection for sample 2->24 26 Yara detected Costura Assembly Loader 2->26 6 oMb1asG4w0.exe 1 2->6         started        9 explorer.exe 5 4 2->9         started        process3 file4 16 C:\Users\user\AppData\...\oMb1asG4w0.exe.log, ASCII 6->16 dropped 11 oMb1asG4w0.exe 2 6->11         started        14 explorer.exe 6->14         started        process5 dnsIp6 18 62.150.142.197, 8808 QNETKuwaitKW Kuwait 11->18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-29 18:53:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 28 (67.86%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0e9337afa6d108d1f0b317f03d48195c5b163319bd9858a96081dfdfb1fd5269
5a06fc050c72cc1155f996e5ce2528f0a35d02339e3f507721bb41682730f95b
60d1dd8679750aa8434d3d6b5ba3e872ec88fcd655d621ce1cb5823271372ce8
7278565b52856072e2ce87c0234478f922a05eeaaf76d1e5b428005b8b83f2bd
ac3541b6d4bf8c6378303f254ba10e0b7c628130345ee8c13e4801cee1770dc5
d24cfa0bdad2e8531085b2cf684b9ea333fd5d85daa7c7a51750e943f6ae7e0b
f288c38cea61918418840da7fd904cfde008849a4692daba6f8a2221d97bb7cc
+ 208 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211230-z1lhnsgcc3/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
48e384916eb2e66193e77a555259b7862a8ad4d2e488c05bf1a8a821ea187ec8
MD5 hash:
0573b77597fc779c52310ded35cb49d4
SHA1 hash:
bd59b94cd1d4e251954ae053f24bdb71d49db08b
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
7fbcc1865e0146b8138c6bfda3f43be73fa345331ab5b488cb0c3728e0d86e75
MD5 hash:
cb4cb122dc1755be13d9b3865e429242
SHA1 hash:
664c4a069540a3779204d00810e63d5e539cf18a
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
10a9a33b07572a30ec0b4b49f8422ba6178235979d986ee9178883b5fc114be9
MD5 hash:
fb17f53c01b1d9e451ec66786068c302
SHA1 hash:
23f72af0e290c1728f99a37ecb7d24a3f1997ff4
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
f729e2ad1e4332469899fa6230c1d8b4a591bd7d6e6a7e5e65a55c760c5a8cdb
MD5 hash:
efc61edc9539daa9e24cb51854492778
SHA1 hash:
f1b17740dae5831143174473ba140efd45331f55
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026
MD5 hash:
9fbb8cec55b2115c00c0ba386c37ce62
SHA1 hash:
e2378a1c22c35e40fd1c3e19066de4e33b50f24a
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
3124e9669769e1fb6c971474531b79f0f2dc3c61e3cae37b5cb149fd83534ef5
MD5 hash:
07610092e55f96b88d5d19d633167dc8
SHA1 hash:
cf625b66acbe423b72cf6e490d31faa389f47dba
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
a669492399c27fa2026daa22b5769fef85e66c7526a37b577ed85f6eec021eff
MD5 hash:
04f1097b63d291086174f173808a5c32
SHA1 hash:
58fdb61886a5c859e715d27e22b091b6e9a64e20
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
aa502d3cd5212a2b52a1b143dd2db255263c1fa79a46da81f18eac4407f83cb1
MD5 hash:
65e90371f01c7f08f9d9d43e8dfba54a
SHA1 hash:
41ce2e75b62090ba0405ee91f7e1e5d39b358b8b
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
47ba256298482e73f67906425890a059a66901df1fbc77553678d037f08142ba
MD5 hash:
d55885137b79e56589d98c8ddd39f35f
SHA1 hash:
1c3b93005773e0cdcc020910a4de02253c582e47
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
SH256 hash:
e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946
MD5 hash:
b73e633bcc72b77dbe5c0948a54c01b7
SHA1 hash:
e417ee6635379ce52d6b5a82aed0861ce72a4508
Link:
https://www.unpac.me/results/52151c08-299e-4547-971a-6fb76fb8a9b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e46ea10a5b05bf3eec5a25019a2d41b2a21d236c6bb2be113879d2c765ba7946

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1937041/
Cape
Cape
https://www.capesandbox.com/analysis/216875/

Comments


Avatar
zbet commented on 2021-12-30 21:11:02 UTC

url : hxxp://91.243.44.128/hv/ut.exe