MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79
SHA3-384 hash: f6239d5fbb35d19e2b183ebbe6ba865616d012b3b8d2b5c3dda28de282080ef48cc8d7788c7f257fefdbe19ac18cbccf
SHA1 hash: 590cf5be65ce26d815adee1dda6ea73ce4bc4e6d
MD5 hash: bbd5262345d07a4d1b7e6945692cb3ea
humanhash: juliet-virginia-six-quiet
File name:bbd5262345d07a4d1b7e6945692cb3ea
Download: download sample
File size:505'856 bytes
First seen:2022-08-23 11:42:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:hzagGuLut6N6LqQzJqkKAulc84bYBbuB1t4cWWzDKuVAccIpGNJ+QYa:pMZ6N6LqQzJqk/a
Threatray 24 similar samples on MalwareBazaar
TLSH T112B44828A47FC05984A3EEA52DDCA8FBD99E95F3640C703301A5632B8F51B84DE4F479
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bbd5262345d07a4d1b7e6945692cb3ea
Verdict:
Malicious activity
Analysis date:
2022-08-23 11:50:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/39f84c35-7791-4247-baba-b93b71baa53c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300500/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.972-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a process with a hidden window
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Creating a file
Forced system process termination
Launching cmd.exe command interpreter
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6304bd8dce5d306100103f22/reports/f86e8623-7197-46ed-94af-52095840ccd8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Stealerium Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87ddc553-05df-499d-a2ac-d4eb9eb29494
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1056438
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 688957 Sample: jCjOiiTt7c Startdate: 23/08/2022 Architecture: WINDOWS Score: 84 41 Antivirus detection for URL or domain 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 .NET source code contains potential unpacker 2->45 47 5 other signatures 2->47 8 jCjOiiTt7c.exe 15 4 2->8         started        12 explorer.exe 5 4 2->12         started        process3 dnsIp4 37 raw.githubusercontent.com 185.199.111.133, 443, 49750 FASTLYUS Netherlands 8->37 35 C:\Users\user\AppData\...\jCjOiiTt7c.exe.log, ASCII 8->35 dropped 14 cvtres.exe 4 8->14         started        18 conhost.exe 8->18         started        20 explorer.exe 8->20         started        file5 process6 dnsIp7 39 leakportsnext.duckdns.org 37.0.14.212, 55443 WKD-ASIE Netherlands 14->39 51 Adds a directory exclusion to Windows Defender 14->51 22 cmd.exe 1 14->22         started        25 cmd.exe 1 14->25         started        signatures8 process9 signatures10 49 Adds a directory exclusion to Windows Defender 22->49 27 powershell.exe 21 22->27         started        29 conhost.exe 22->29         started        31 powershell.exe 20 25->31         started        33 conhost.exe 25->33         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79/
Threat name:
ByteCode-MSIL.Hacktool.Sysencoder
Create hunting rule
Status:
Malicious
First seen:
2022-08-22 19:41:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 26 (76.92%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=44mzyy3i4tod3veavn5ajxgpmjt3zeyln7qihb6rxhdyruxa3n4q._file
Verdict:
malicious
Similar samples:
013c0a38f83cc7334209e0acbc268edb1f31ff5d6dcf377efc6b769c8450be43
3dbd1065734c9b3e603bc2a81dbadb77beeb54c6a918a6a4ae0687659ac3c0fb
5d573461fbe87a4441a12b5b61a3b74019aa21a784f9cf4410e1da100a55c792
6fc35a4f1f62fb4bc857d8401776edf80bbcb9654467e58e125ee84a53de7433
7322227e60086a497e66c0a6c5568dc138e81efc34e0d3a0ab5a2015b73afdaa
8a3d555c8d1019b6d42721a2eea770d2101458fd70b208f6767db2eeb1cd44bc
adb1176b1968316cdb3becb8197bd43f289e35a09d70a8deccd1f88bf631b0a2
cec2ff141f4c326d637e9985375f84d3f7863513ecb5c0ab3487c9dadf6ea8fa
d9345864bb59d75e19862e6d712836444ebba00f55a42b3e1d55f3f816246696
dfd756ed5e954ad5c3f86829365e56d96a5b4b458e98e750f27185470ce1b938
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220823-nvkhmsebaq/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Modifies Installed Components in the registry
Unpacked files
SH256 hash:
05d8f74203e57469ed9f1eb7802e00039fa1823e92be57c90048b8b76d0c1c13
MD5 hash:
2d9906f2b8c13f53f14b5f0cdd72328b
SHA1 hash:
eea9d744e948ac6830127dc6db622aee27f9029a
Link:
https://www.unpac.me/results/6c21ff6e-597c-4b2d-b396-ec4b9dc90b19/
SH256 hash:
e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79
MD5 hash:
bbd5262345d07a4d1b7e6945692cb3ea
SHA1 hash:
590cf5be65ce26d815adee1dda6ea73ce4bc4e6d
Link:
https://www.unpac.me/results/6c21ff6e-597c-4b2d-b396-ec4b9dc90b19/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7199c6368e4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MALWARE_Win_DLAgent10
Create hunting rule
Author:ditekSHen
Description:Detects known downloader agent
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Double_Base64_Encoded_Executable
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889
Rule name:SUSP_Double_Base64_Encoded_Executable_RID34CC
Create hunting rule
Author:Florian Roth
Description:Detects an executable that has been encoded with base64 twice
Reference:https://twitter.com/TweeterCyber/status/1189073238803877889

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e7199c6368e4dc3dd480ab7a04dccf6267bc930b6fe08387d1b9c788d2e0db79

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2275915/
  
URLhaus
https://urlhaus.abuse.ch/url/2275913/
  
URLhaus
https://urlhaus.abuse.ch/url/2275914/
  
URLhaus
https://urlhaus.abuse.ch/url/2275923/
  
URLhaus
https://urlhaus.abuse.ch/url/2275955/
  
URLhaus
https://urlhaus.abuse.ch/url/2275978/
  
URLhaus
https://urlhaus.abuse.ch/url/2276013/
  
URLhaus
https://urlhaus.abuse.ch/url/2276040/
  
URLhaus
https://urlhaus.abuse.ch/url/2276042/
  
URLhaus
https://urlhaus.abuse.ch/url/2276048/
  
URLhaus
https://urlhaus.abuse.ch/url/2276050/
Cape
Cape
https://www.capesandbox.com/analysis/300500/

Comments


Avatar
zbet commented on 2022-08-23 11:42:48 UTC

url : hxxp://37.139.129.142/htdocs/TyDWNiKzHqJDCHm.exe