MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1
SHA3-384 hash: cb92ffb2905433cecd547d054f2ba246479cdb395b6fed5e6dddc756ec668c8ce5e33981d786b041abe7c49fe31e0ff3
SHA1 hash: ba49051e9b99f8590f714f8be6f7e4a82de5806b
MD5 hash: 5fb18908969921e232936bcd20c584b4
humanhash: west-failed-kitten-jersey
File name:5fb18908969921e232936bcd20c584b4
Download: download sample
File size:180'736 bytes
First seen:2022-01-25 12:52:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:4WZkyRjBdy+OjBLTLM5URnBSCSWRMOjt59DK5tl4CYT8G4vB3ehpRRRRRERu:Xfy1jBPSURBvSBCVkoCLlOhpRRRRRER
Threatray 654 similar samples on MalwareBazaar
TLSH T17C04F112B2FC9716D9FA8B3978D1814857F8DA877746D708678AB18D2EC37039842F36
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5fb18908969921e232936bcd20c584b4
Verdict:
Suspicious activity
Analysis date:
2022-01-25 13:04:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fd7f829f-7669-4912-8549-fe941b776ab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/222454/
Detection(s):
Win.Packed.LokiBot-9937416-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61eff276f81da814afa3cad0/reports/af5b4a7b-d9bd-41be-85f8-6961ef2c3764/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d1904194-afa1-4b01-b965-a3be9d12cc75
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/927093
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 22:23:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
79ffa1ea98b4bf3c374a41d6bdc464d841e811ab6385752b31a02a7dc3f78753
afee42ed642d4f824b52d9c32a0965c204f97edf9be9e5b4d6a8011db59e5525
b0d65cf9bd6e65d3d8681b4366ceaa50cebea2895a960a2ea9972fe07a09d614
c741bc5e6d20f519e3329890102cb8422952f266ae0bbfe475086a8869794ed0
d500b70f534ef5f6a6b6fc988b8e626b2b722834bf033b301cac1658293b560d
fc90ce49a569f884194e99fe404a2ab0e5b5048434b6bb05319abf1c05cccadc
+ 644 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220125-p33vmagacp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
c7ade3f8cac6c7b43c6b6ba4d9705b62026daa6684ad5dbc24e38fc1f0cc01c7
MD5 hash:
c8cb4136a649f74be9e6971d8185da76
SHA1 hash:
c31f54d6d507a645e67634678fa3bdaacc2b2e30
Link:
https://www.unpac.me/results/d21d04e1-89a0-47e8-b0d6-a23b04c97790/
SH256 hash:
b2a607747feb92a572284e581164f047d22a66c1d8b6ae67e5525823001cb8a0
MD5 hash:
31c97a4cbcf14f5302c9a6094ec02697
SHA1 hash:
1491e3f25cf4936a65b511be560fc79e557fc769
Link:
https://www.unpac.me/results/d21d04e1-89a0-47e8-b0d6-a23b04c97790/
SH256 hash:
ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1
MD5 hash:
5fb18908969921e232936bcd20c584b4
SHA1 hash:
ba49051e9b99f8590f714f8be6f7e4a82de5806b
Link:
https://www.unpac.me/results/d21d04e1-89a0-47e8-b0d6-a23b04c97790/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ecf8177e8848014ed2d7ce157ab5ca9ab40e563788deb14ff5df6066933e49a1

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2005131/
Cape
Cape
https://www.capesandbox.com/analysis/222454/

Comments


Avatar
zbet commented on 2022-01-25 12:52:02 UTC

url : hxxp://vacandgold.com/zafar.exe