MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96
SHA3-384 hash: 22f2bd03b01b4444c691edbc958dc5c7361be57f47eefc66878739c8205e30a0f2ad43c0996e2240029e0957106d099f
SHA1 hash: 351a1849eb84f27ce97e7fe07ac16b7d16da2562
MD5 hash: c6808ca5fac7b8bc9fd63a1c381e7872
humanhash: magazine-steak-fillet-vermont
File name:c6808ca5fac7b8bc9fd63a1c381e7872
Download: download sample
File size:581'632 bytes
First seen:2023-05-05 13:22:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:4V8YHzQpCUguZn8hwD5VF7bHUdKe8qTXuXF5w/jPDtLkaH0TQW6kbt3:FCzobV8hwDbF7b0dKWzqw/jPDtLkaUc8
Threatray 457 similar samples on MalwareBazaar
TLSH T143C42362C664A1D3D5E8423E6CDB13BE20FB1E096262FC70254F9D819B825C5AED37CD
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
251
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c6808ca5fac7b8bc9fd63a1c381e7872
Verdict:
Malicious activity
Analysis date:
2023-05-05 13:24:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3bfba776-bc72-4a7a-a448-b639354fda63

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/386952/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.26395.3428.12496.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6455033e291ebda6793beba4/reports/dfe52917-0336-4766-9b49-f169b07ea540/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3f44b2c5-3e8c-4b76-993d-1fd2937fc11e
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1226984
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 859956 Sample: TDeZ47sPtk.exe Startdate: 05/05/2023 Architecture: WINDOWS Score: 100 37 Antivirus detection for URL or domain 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 3 other signatures 2->43 7 TDeZ47sPtk.exe 15 5 2->7         started        12 TDeZ47sPtk.exe 1 2->12         started        14 TDeZ47sPtk.exe 2->14         started        process3 dnsIp4 33 45.88.66.118, 49702, 49704, 49705 LVLT-10753US Bulgaria 7->33 35 smartphoodapp.com 209.97.151.202, 443, 49703 DIGITALOCEAN-ASNUS United States 7->35 27 C:\Users\user\AppData\...\TDeZ47sPtk.exe, PE32+ 7->27 dropped 29 C:\Users\user\AppData\Local\...\Oqkthxtp.exe, PE32+ 7->29 dropped 51 Suspicious powershell command line found 7->51 53 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 7->53 16 powershell.exe 16 7->16         started        18 powershell.exe 19 7->18         started        31 C:\Users\user\AppData\...\TDeZ47sPtk.exe.log, CSV 12->31 dropped 55 Antivirus detection for dropped file 12->55 57 Multi AV Scanner detection for dropped file 12->57 59 Machine Learning detection for dropped file 12->59 file5 signatures6 process7 process8 20 Oqkthxtp.exe 16->20         started        23 conhost.exe 16->23         started        25 conhost.exe 18->25         started        signatures9 45 Antivirus detection for dropped file 20->45 47 Multi AV Scanner detection for dropped file 20->47 49 Machine Learning detection for dropped file 20->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-05-05 13:23:12 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44mlvr3b6fra7b7qquc3rnoh5faxr3ims6gnqx3nmfzmbvm6r6la._file
Verdict:
malicious
Similar samples:
0cff8404e73906f3a4932e145bf57fae7a0e66a7d7952416161a5d9bb9752fd8
1ff771de93f1b7a1824949621e743f0207b199b96151fb288474a7e8a2435e1d
36cea9a517889dd607921a87d2bd9ed04b2de4c465f17d52bd1e399aa979da83
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
5d45948167c781bc6167406bf9b8f97f4fea8d976581c6c5130d9ee5a2b11831
65a73b946adeca7edc624d85c9af02b3d607e1e65df2580a32fb143b9c40fc7f
65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad
9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65
d9b498faf01b9eb598761915a6fc2fb4f1ab2317d354348baca6794730fd15d3
e0b361a5a568b0620b57e5af25e0627597c0633c285080a490e221c896ae5372
+ 447 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230505-qms6xscf7t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96
MD5 hash:
c6808ca5fac7b8bc9fd63a1c381e7872
SHA1 hash:
351a1849eb84f27ce97e7fe07ac16b7d16da2562
Link:
https://www.unpac.me/results/a057d681-115d-4b39-9f36-14d1fbd5255b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e718bac761f1620f87f08505b8b5c7e94178ed0c978cd85f6d6172c0d59e8f96

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2625211/
Cape
Cape
https://www.capesandbox.com/analysis/386952/

Comments


Avatar
zbet commented on 2023-05-05 13:22:46 UTC

url : hxxps://smartphoodapp.com/miner.exe