MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0
SHA3-384 hash: 84a7c3d669a4274f71054280379563d41034e1e7ff48eab5cbfd7cdb0cc999a1dfd9e31e74684af8c98f0716b92a3d45
SHA1 hash: bd7d8fd5228fdbab19b4c6637a4484bd4a029830
MD5 hash: 856929bb3942b4c0e887d0cc05bfa4d8
humanhash: chicken-seven-gee-ohio
File name:Qtkgyeroi3.exe
Download: download sample
File size:465'920 bytes
First seen:2022-02-25 11:37:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:k0LhcjAMPjl832Y2Tj1TbNywZXzaWr7Qqu2DvM/2g:KEMPjuijXWyxrDkv
Threatray 536 similar samples on MalwareBazaar
TLSH T1FCA423EF22818472CC0B197F135E56E27772938BE04279787B1C86975F3607A9463BB2
File icon (PE):PE icon
dhash icon c22ba0299124a69c
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Qtkgyeroi (2).iso
Verdict:
Malicious activity
Analysis date:
2022-02-25 11:32:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5ef61f7b-a59a-4f6c-a43d-f1e8626dde04

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/244693/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6218bfa1dfdfa8501c5a0a57/reports/bba6e415-8c71-4eac-83fc-3015bdc198a2/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ff241bf8-180d-4624-b9e2-fa58733a13c0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/946344
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Encoded PowerShell Command Line
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 578825 Sample: Qtkgyeroi3.exe Startdate: 25/02/2022 Architecture: WINDOWS Score: 100 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Sigma detected: Drops script at startup location 2->48 50 4 other signatures 2->50 8 Qtkgyeroi3.exe 1 5 2->8         started        13 Qtkgyeroi3.exe 1 2->13         started        15 wscript.exe 1 2->15         started        17 Qtkgyeroi3.exe 1 2->17         started        process3 dnsIp4 42 23.105.131.196, 49789, 49796, 49813 LEASEWEB-USA-NYC-11US United States 8->42 38 C:\Users\user\AppData\...\Qtkgyeroi3.exe, PE32+ 8->38 dropped 40 C:\Users\user\AppData\...\Qtkgyeroi3.vbs, ASCII 8->40 dropped 54 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->54 56 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->56 58 Drops VBS files to the startup folder 8->58 19 powershell.exe 18 8->19         started        60 Antivirus detection for dropped file 13->60 62 Multi AV Scanner detection for dropped file 13->62 64 Machine Learning detection for dropped file 13->64 21 powershell.exe 14 13->21         started        23 Qtkgyeroi3.exe 15->23         started        66 Encrypted powershell cmdline option found 17->66 26 powershell.exe 17->26         started        file5 signatures6 process7 signatures8 28 conhost.exe 19->28         started        30 conhost.exe 21->30         started        52 Encrypted powershell cmdline option found 23->52 32 powershell.exe 23->32         started        34 conhost.exe 26->34         started        process9 process10 36 conhost.exe 32->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-25 11:37:22 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
6
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
05bd6e05fa5cba8cf94a0cfd567351cd15e2d873e9e6ae3a951175e21deddaf4
42287ac393c08dcdae7b2ee2c75dcce8cf0739dc5e8eff36e6da0eefc2388382
4c0f83c722bdcb38b3d53a1cebc80b777ee6e02742e27a384ac39d7e51f4e7dd
5f7f0576163208492f35624e57916b0a6ce9093d75ba32e57ac688435b5240ad
8592d578f269100d67bf1faa464e23de7bf0c1266bad19d2bf6bcce0501158a3
b8868eb87c7cb945704e2d0b8ec2ebdc890cd6df12f9ef0a7295582c7fd0cf1f
c0ccd75375402c9d18d9fd11207ddf17011449874a2bc3521c6e3b815402b578
c9d7cb68dec80469c3c03b0e90c7af1972462ca7779424db3bfd9d44aebaa624
d24cfa0bdad2e8531085b2cf684b9ea333fd5d85daa7c7a51750e943f6ae7e0b
+ 526 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/220225-nrp9qagad4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Unpacked files
SH256 hash:
ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0
MD5 hash:
856929bb3942b4c0e887d0cc05bfa4d8
SHA1 hash:
bd7d8fd5228fdbab19b4c6637a4484bd4a029830
Link:
https://www.unpac.me/results/35ef699b-b0b4-4feb-b552-c30bc57326e2/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ec5e49c4fba5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec5e49c4fba591d631c2d9475916d232a5b38d7bff5df4e430a96320421fc5e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/244693/

Comments