MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
SHA3-384 hash: 1af54f9f1d4e20966450e00379408895d68b05dad872880d9ddde571cc496c6121e0a95303188452a5f3075ba00960f0
SHA1 hash: b4aff64bb1f0fee5d5c47c5f1275351c758b423a
MD5 hash: ae6cdc2be9207880528e784fc54501ed
humanhash: california-double-juliet-venus
File name:ae6cdc2be9207880528e784fc54501ed
Download: download sample
File size:10'752 bytes
First seen:2022-01-15 01:38:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 192:aLgToiTL+bi7LELaNqLiLyjFvjUTl0d8stYcFwVc03KY:aLgToiTL+bCLELaNqLiLsvwTl0dptYcX
Threatray 338 similar samples on MalwareBazaar
TLSH T14C22E802E3E44271C6B60A322AB7A741CF36E6275D168B6D74CC950E7F66242C7637F1
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ae6cdc2be9207880528e784fc54501ed
Verdict:
No threats detected
Analysis date:
2022-01-15 01:39:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/53750f8e-ff67-41e3-af56-7c3a54e34ca4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219427/
Detection(s):
SecuriteInfo.com.StaticAI-SuspiciousPE.15563.26940.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Launching a process
DNS request
Sending a custom TCP request
Creating a file
Searching for synchronization primitives
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-debug cmd.exe greyware hacktool obfuscated packed shell32.dll wscript.exe
Link:
https://www.filescan.io/uploads/61e225b9f2e8ec86feff76e8/reports/f1737b44-cfb4-4869-a246-38d8b695b424/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fae9f51a-6236-46e6-8d62-b5b4738de5b0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/921017
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553495 Sample: j82lgS5kgk Startdate: 15/01/2022 Architecture: WINDOWS Score: 48 32 Multi AV Scanner detection for submitted file 2->32 7 j82lgS5kgk.exe 3 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 dw20.exe 20 6 7->15         started        process5 17 curl.exe 1 9->17         started        20 conhost.exe 9->20         started        22 curl.exe 1 11->22         started        24 conhost.exe 11->24         started        26 curl.exe 1 13->26         started        28 conhost.exe 13->28         started        dnsIp6 30 sincheats.com 217.21.76.148, 443, 49762, 49763 IPPLANET-ASIL United Kingdom 17->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-01-15 01:39:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
17be6c33020601127b2ac2e87be0dadb64c7af911d38ba70bf4d86d595ca4759
42421c08872fa9a261dfe3184f7747d224ed3deb2c0420bbb2ce8f00387fd258
4d041237f6dbd08e6d88a1a526fa2dc3f1e4ce19348200105a0fa749195bce36
600c157ddb6d90c409f612a89e5c4259af4a7f724fd23ba85d1879b49c83054b
87967600b0f6026f97093416dcd7ec38f740adaf84757255c179180873b41177
a1457e7a591877c3732325e462c479a450b19bda91ecaca0a37cdb137ed152ae
b999ca69b211c89b669c18ec8543d34f203f73a1c793db6d481da5c917c3f116
dee5fa01f5f31868f131fb518880eae43324acc873b2c04f8bcd98bf771be3af
f3de4ce2a7e7d27e8dcfc9b38b0e55631181393e673a37a57bd97e218a797cfe
+ 328 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220115-b2zjxscbgj/
Behaviour
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac
MD5 hash:
ae6cdc2be9207880528e784fc54501ed
SHA1 hash:
b4aff64bb1f0fee5d5c47c5f1275351c758b423a
Link:
https://www.unpac.me/results/1c9ceacc-9108-45fd-b953-4fcdaecaf403/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe e71a997a58a54db0a879969fa1c3de5193b090bc59f3468f408785dbc0d9c7ac

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1977806/
Cape
Cape
https://www.capesandbox.com/analysis/219427/

Comments


Avatar
zbet commented on 2022-01-15 01:38:16 UTC

url : hxxp://81.163.30.181/start.exe