MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Matanbuchus


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
SHA3-384 hash: ef10fd59ccc3496709ec89a66b3e613a7c55181b9b94f5bcdcd315b5e01e0b0bd6b92cb3c4cabaae00d9992163fb4d66
SHA1 hash: 2e9103747750b40835f58d9e57c2ab75eeaf25f6
MD5 hash: fc484855692f2a7d1eae090086a1eb72
humanhash: twelve-blue-dakota-muppet
File name:smphost.dll
Download: download sample
Signature Matanbuchus
File size:147'656 bytes
First seen:2022-01-30 12:22:39 UTC
Last seen:2022-01-30 13:47:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 793636b04c2e2f8cfe97a0d2fa1b60e1 (1 x Matanbuchus)
ssdeep 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3
TLSH T196E34C017A989035F8FF0A7699B99969973D7920DB00DCEB339425AD4E30BD1AF30D27
Reporter @r0ny_123
Tags:dll matanbuchus SATURN CONSULTANCY LTD signed

Code Signing Certificate

Organisation:SATURN CONSULTANCY LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-12-02T00:00:00Z
Valid to:2022-12-02T23:59:59Z
Serial number: 205483936f360924e8d2a4eb6d3a9f31
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 44daf53d607937f410c3d300100399514d0ee5b03487e7ead16dfe324d2c5563
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
2
# of downloads :
128
Origin country :
IN IN
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Microsoft Corporation
Verdict:
Unknown
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Schedule system process
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562835 Sample: smphost.dll Startdate: 30/01/2022 Architecture: WINDOWS Score: 88 37 manageintel.com 2->37 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Sigma detected: Schedule system process 2->51 53 3 other signatures 2->53 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        12 regsvr32.exe 2->12         started        signatures3 process4 process5 14 regsvr32.exe 8 8->14         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        27 2 other processes 8->27 23 regsvr32.exe 6 10->23         started        25 regsvr32.exe 12->25         started        dnsIp6 39 manageintel.com 185.14.31.158, 32710, 443, 49758 ITLDC-NLUA Ukraine 14->39 35 C:\ProgramData\6\5507.ocx, PE32 14->35 dropped 43 System process connects to network (likely due to code injection or exploit) 14->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 14->45 29 WerFault.exe 23 9 14->29         started        31 schtasks.exe 14->31         started        33 rundll32.exe 19->33         started        41 192.168.2.1 unknown unknown 23->41 file7 signatures8 process9
Threat name:
Win32.Trojan.Convagent
Status:
Malicious
First seen:
2022-01-28 07:36:00 UTC
File Type:
PE (Dll)
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
MD5 hash:
fc484855692f2a7d1eae090086a1eb72
SHA1 hash:
2e9103747750b40835f58d9e57c2ab75eeaf25f6

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments