MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a
SHA3-384 hash: 0d3e4d0b5395b81ac321c41f2b467f30ff8596c1748493a7d18accca8fd65bb3175ac4ee0b71be301badc7f74d47f112
SHA1 hash: e7435345044a69cd7d185a40da9c378bd74a0a14
MD5 hash: 5d4950991e8971d5d92509ec3ad4a3f2
humanhash: west-west-golf-eighteen
File name:LGCMAIL_TW_XXXXX7292.exe
Download: download sample
File size:9'330'478 bytes
First seen:2021-12-23 22:49:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:5S5yUYmlrVndt5dAZ1/lYbrHVTZ9rUqlcMa8L:o5yKlx/5uZRlYbrHV3jlcg
Threatray 13 similar samples on MalwareBazaar
TLSH T16396221B3EC49537D45B4A7FE4F680B283717DA5AB14C64E6AECF19E86B234CA710213
File icon (PE):PE icon
dhash icon 0070e0c4cceeee00
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LGCMAIL_TW_XXXXX7292.exe
Verdict:
No threats detected
Analysis date:
2021-12-23 22:55:30 UTC
Tags:
installer
Link:
https://app.any.run/tasks/b7b3cb90-11c4-4c49-9842-c9ee14b99954

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/216045/
Detection(s):
ditekSHen.MALWARE.Win.Ransomware.SunCrypt.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Moving a recently created file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Creating a file in the Windows subdirectories
Moving a file to the Windows subdirectory
Creating a file in the system32 directory
Moving a file to the system32 directory
Creating a file in the drivers directory
Moving a file to the drivers directory
Launching a process
Modifying a system file
Creating a service
Launching a service
Loading a system driver
Sending a custom TCP request
Searching for the window
Sending an HTTP GET request
DNS request
Searching for synchronization primitives
Enabling autorun for a service
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive obfuscated overlay packed packed stealer
Link:
https://www.filescan.io/uploads/61c4fd2c8991ba72b39464a4/reports/c5b1e30a-75dc-46c0-8a9b-dba3758c2850/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IEInspector Software
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/76c2d182-830e-499d-927f-46b9d2fb672a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/912214
Signature
.NET source code contains a domain name check
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Found driver which could be used to inject code into processes
Machine Learning detection for sample
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 544692 Sample: LGCMAIL_TW_XXXXX7292.exe Startdate: 23/12/2021 Architecture: WINDOWS Score: 80 56 Antivirus detection for dropped file 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 .NET source code contains potential unpacker 2->60 62 3 other signatures 2->62 9 LGCMAIL_TW_XXXXX7292.exe 14 2->9         started        12 svchost.exe 1 2->12         started        14 svchost.exe 1 2->14         started        process3 file4 48 C:\ProgramData\MyGuard\SetupTmp.exe.tmp, PE32 9->48 dropped 50 C:\ProgramData\MyGuard\SetupTmp.exe (copy), PE32 9->50 dropped 52 C:\Users\...\LGCMAIL_TW_XXXXX7292.exe.log, ASCII 9->52 dropped 16 SetupTmp.exe 2 9->16         started        20 CPManager.exe 9->20         started        process5 file6 38 C:\Users\user\AppData\Local\...\SetupTmp.tmp, PE32 16->38 dropped 54 Obfuscated command line found 16->54 22 SetupTmp.tmp 71 85 16->22         started        signatures7 process8 file9 40 C:\...\CPManager.exe (copy), PE32 22->40 dropped 42 C:\Windows\system32\miscfunc.dll (copy), PE32+ 22->42 dropped 44 C:\Windows\system32\...\ItlsOTN.sys (copy), PE32+ 22->44 dropped 46 120 other files (none is malicious) 22->46 dropped 25 CPManager.exe 1 12 22->25         started        28 cacls.exe 1 22->28         started        30 cacls.exe 1 22->30         started        32 instdrvOT.exe 3 22->32         started        process10 signatures11 64 Drops executables to the windows directory (C:\Windows) and starts them 25->64 34 conhost.exe 28->34         started        36 conhost.exe 30->36         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a/
Threat name:
Win32.Exploit.CVE-2019-1184
Create hunting rule
Status:
Malicious
First seen:
2021-12-23 22:50:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
46
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
27b55c8a94eb835f7ef194183f088415ac4e75348609465a1393043ab6161631
40afa1e323be151d0d7a38c72f771b0b9e909f49ddade942d4260a5e29e5ec2f
417d90bf7d85a12dd9b199f97a0f7315532a71e0c09c124d50258dda532e0b20
52fae1ba28593ce0478042ee499f02333c1b671971c619bf7528a50ac051625a
5389a958986f6ceccaa9e44006852becbccabfb07f126d69e6b031227fb0b487
63c4e17fa9b6d87a9f4b68b854cae50e95f8de2a86929fecb8f34af0d15798e7
6b6c079401e47ab7c10a16fec31f9e330b3730f0e9f925caa43368b95a421b5e
989f403c14fe2ab86cb51cb4232ed7a3fc8f623ad8025e674acfa3bf45a0d917
98a293de8d3eb34cee5e3e8edc9f472323d13a997bdbd2806ac1fe483f5efd14
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/211223-2r96sacehl/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Checks installed software on the system
Drops desktop.ini file(s)
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
f21eb70b2c5f8b64b8eaa97bc202ca0d7693fea436dbcf7adf2495c8c90fc1e9
MD5 hash:
095cbdabe7d688e59a6ba5aa75c2c824
SHA1 hash:
e342e70f67ac4c8a3ad903efd6b2361de9f35690
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
c238999ea3caf3c490717aef20186bb49c115a2c53057bdb202dac5e6ea113c1
MD5 hash:
577cbbfa3ed386ba14927655460134a3
SHA1 hash:
b8c8d6792614b69431dfb378a7579ce9a776523a
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
d0ae373a366d5c73056a99262d90a734f0377fab6feb9f651f67a5dff79b320e
MD5 hash:
1d86160dfbac8ef48fc01ea2760df310
SHA1 hash:
a838d65cab3627c64f049a247c8dbb128dc3c89c
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
MD5 hash:
6ded8fcbf5f1d9e422b327ca51625e24
SHA1 hash:
8a1140cebc39f6994eef7e8de4627fb7b72a2dd9
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
1bbbc90a9cef26427a09530f3445f35339c9725f9ea7037b136f2a20139abcc8
MD5 hash:
bb1a4213da2a3f3dacc432447cfe05b5
SHA1 hash:
53b9aed60c83f63aa73299cbbffd2cbcf1b1c34a
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
8d7b4eb1b10d60258adec4c20d90de94a43ed0df6597a0dbb743b301f3fa99ce
MD5 hash:
5b2ddde4dc2114b470edee3766b2cac2
SHA1 hash:
4e22ad7598da138633b0524618334dd4dde3ffa8
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
6aeb1a416314fd3e83db044d470f7e0d837f5837c09e2687cb4476115677722d
MD5 hash:
9ebb0d7665de101fa02a66c7c70243a9
SHA1 hash:
45ff08a5801325809dd73baa27f2e93defb5580d
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
SH256 hash:
ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a
MD5 hash:
5d4950991e8971d5d92509ec3ad4a3f2
SHA1 hash:
e7435345044a69cd7d185a40da9c378bd74a0a14
Link:
https://www.unpac.me/results/c4570867-3fa3-4f2d-a387-174671396176/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec117203d9cf5a324fdd8ead407b681096e9f60a0916f8316febb76943240b0a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/216045/

Comments