MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Matanbuchus


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
SHA3-384 hash: ef10fd59ccc3496709ec89a66b3e613a7c55181b9b94f5bcdcd315b5e01e0b0bd6b92cb3c4cabaae00d9992163fb4d66
SHA1 hash: 2e9103747750b40835f58d9e57c2ab75eeaf25f6
MD5 hash: fc484855692f2a7d1eae090086a1eb72
humanhash: twelve-blue-dakota-muppet
File name:smphost.dll
Download: download sample
Signature Matanbuchus
Create hunting rule
File size:147'656 bytes
First seen:2022-01-30 12:22:39 UTC
Last seen:2022-01-30 13:47:18 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 793636b04c2e2f8cfe97a0d2fa1b60e1 (1 x Matanbuchus)
ssdeep 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3
TLSH T196E34C017A989035F8FF0A7699B99969973D7920DB00DCEB339425AD4E30BD1AF30D27
Reporter @r0ny_123
Tags:dll matanbuchus SATURN CONSULTANCY LTD signed

Code Signing Certificate

Organisation:SATURN CONSULTANCY LTD
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-12-02T00:00:00Z
Valid to:2022-12-02T23:59:59Z
Serial number: 205483936f360924e8d2a4eb6d3a9f31
Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 44daf53d607937f410c3d300100399514d0ee5b03487e7ead16dfe324d2c5563
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
IN IN
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/225865/
Detection(s):
SecuriteInfo.com.ArtemisFC484855692F.12193.8968.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61f6832af01ae00db3dfd376/reports/33f16a15-218b-4650-a646-0b05e7f74992/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Microsoft Corporation
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d1221cd2-8593-49f1-bd00-0382cb3dbc21
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/930357
Signature
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Network Activity
Sigma detected: Schedule system process
Sigma detected: Suspicious Call by Ordinal
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562835 Sample: smphost.dll Startdate: 30/01/2022 Architecture: WINDOWS Score: 88 37 manageintel.com 2->37 47 Antivirus detection for URL or domain 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Sigma detected: Schedule system process 2->51 53 3 other signatures 2->53 8 loaddll32.exe 1 2->8         started        10 regsvr32.exe 2->10         started        12 regsvr32.exe 2->12         started        signatures3 process4 process5 14 regsvr32.exe 8 8->14         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 8->21         started        27 2 other processes 8->27 23 regsvr32.exe 6 10->23         started        25 regsvr32.exe 12->25         started        dnsIp6 39 manageintel.com 185.14.31.158, 32710, 443, 49758 ITLDC-NLUA Ukraine 14->39 35 C:\ProgramData\6\5507.ocx, PE32 14->35 dropped 43 System process connects to network (likely due to code injection or exploit) 14->43 45 Uses schtasks.exe or at.exe to add and modify task schedules 14->45 29 WerFault.exe 23 9 14->29         started        31 schtasks.exe 14->31         started        33 rundll32.exe 19->33         started        41 192.168.2.1 unknown unknown 23->41 file7 signatures8 process9
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e/
Threat name:
Win32.Trojan.Convagent
Create hunting rule
Status:
Malicious
First seen:
2022-01-28 07:36:00 UTC
File Type:
PE (Dll)
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://www.spamhaus.org/query/hash/4wfzxo33zxz6sakfhn5zzhsrj7wr4u2wlyzianj5ztdxzxrgvgha._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220130-pkf8xabfc3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
MD5 hash:
fc484855692f2a7d1eae090086a1eb72
SHA1 hash:
2e9103747750b40835f58d9e57c2ab75eeaf25f6
Link:
https://www.unpac.me/results/8a97cf9f-4918-4c0f-bc79-4e28770904db/
AV coverage:
8.82%
AV detections:
6 / 68
Link:
https://www.virustotal.com/gui/file/e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e/detection/f-e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e-1643545435
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/225865/

Comments