MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
SHA3-384 hash: 2ce1c2a0230d1273a83946ce6fb758c0ddfe01392c7337bc6d23bd11a50cc7a1c2fadad0cce02509b8b3cd6049dfc25b
SHA1 hash: 759f944cd579d8d55df3c81c0bd75d0e27936eed
MD5 hash: 51ab466b7973a25da110584522dc4011
humanhash: kitten-september-oxygen-papa
File name:51ab466b7973a25da110584522dc4011.exe
Download: download sample
File size:156'160 bytes
First seen:2020-10-08 17:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:07vJmuouRmZxdcRC8+/perDPLS7ZMtcI2nrvAq8Nqoggd7G:070uRmZxC1+kEMeFr4q8I+
Threatray 12 similar samples on MalwareBazaar
TLSH DBE3FF498D2BDC37FCA83BB6F8625FEE5B29586D1863E349411D4CAD4D1E3C408E31A6
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69338/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Launching a process
Creating a window
Changing a file
Setting a global event handler
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Searching for the window
Forced system process termination
Creating a process with a hidden window
Possible injection to a system process
Unauthorized injection to a recently created process
Launching a tool to kill processes
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/485905
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295424 Sample: uFhkxhLkg9.exe Startdate: 08/10/2020 Architecture: WINDOWS Score: 92 67 Antivirus / Scanner detection for submitted sample 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->71 73 Disables Windows Defender (via service or powershell) 2->73 8 cmd.exe 1 2->8         started        10 uFhkxhLkg9.exe 1 2->10         started        14 taskkill.exe 1 2->14         started        process3 file4 16 jshu4m1p.exe 2 8->16         started        20 conhost.exe 8->20         started        55 C:\Users\user\AppData\...\uFhkxhLkg9.exe.log, ASCII 10->55 dropped 75 Injects a PE file into a foreign processes 10->75 22 uFhkxhLkg9.exe 4 10->22         started        25 conhost.exe 14->25         started        signatures5 process6 dnsIp7 57 192.168.2.1 unknown unknown 16->57 59 Antivirus detection for dropped file 16->59 61 Multi AV Scanner detection for dropped file 16->61 63 Detected unpacking (overwrites its own PE header) 16->63 65 Disables Windows Defender (via service or powershell) 16->65 27 powershell.exe 20 16->27         started        29 powershell.exe 22 16->29         started        31 powershell.exe 16->31         started        37 9 other processes 16->37 53 C:\Windows\Temp\jshu4m1p.exe, PE32 22->53 dropped 33 cmstp.exe 9 7 22->33         started        35 conhost.exe 22->35         started        file8 signatures9 process10 process11 39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 5 other processes 37->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae/
Threat name:
ByteCode-MSIL.Trojan.GenMlwB
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 17:52:07 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
188937c949c23138157a707a06cca97dda5f3adc3b6f98bd07088a321d5220a5
1976401042595cb4dcafcd63e68461eab1af172f9442252b605bf4f0a49531f4
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
3d11505113851303d2eccdbf69ae0e87f06eb0d6bc4170326ea5c0e02e61d589
474af43d204f161ca0f2138812a1081fa7a09e5a64dc862cda83a8f23a3ff88e
7d8fc608e438fa407e73ad8e18d0978e83afb07894dddac811385d317c106336
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
d6e2c72145fa1473a21537eb00dfd5f038d441c4852ba54a70234e29cc189e49
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
ea7a3ae571da4778b074b401b955e1a8d8a9470bc72a7e3e45880a8f7223e652
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201008-t6x5grxvme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious use of SetThreadContext
Executes dropped EXE
Contains code to disable Windows Defender
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
087d0c0315da38a9c29aab66a628d05b169013d8135de9652e6a83bee15e8d8d
MD5 hash:
215d10c58de49c8d224e9a77d42961db
SHA1 hash:
2bb0effd16fb00c44aa78ba949a0e0d9a1cb4f94
Link:
https://www.unpac.me/results/4baf5f46-366a-4e91-93a9-75c8f45fb770/
SH256 hash:
93117e69bd6c0dcc95098964b73c2e41647f759cbe5ce84cdb21c03fba604b72
MD5 hash:
bee1fe541f303428fe19f848d981f5f3
SHA1 hash:
4b541ba6c9838a3e7ab13705abbb5cd5a9ce42c9
Link:
https://www.unpac.me/results/4baf5f46-366a-4e91-93a9-75c8f45fb770/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/4baf5f46-366a-4e91-93a9-75c8f45fb770/
SH256 hash:
88e7d1e5414b8fceb396130e98482829eac4bdc78fbc3fe7fb3f4432137e0e03
MD5 hash:
f4b5c1ebf4966256f52c4c4ceae87fb1
SHA1 hash:
ca70ec96d1a65cb2a4cbf4db46042275dc75813b
Link:
https://www.unpac.me/results/4baf5f46-366a-4e91-93a9-75c8f45fb770/
SH256 hash:
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
MD5 hash:
51ab466b7973a25da110584522dc4011
SHA1 hash:
759f944cd579d8d55df3c81c0bd75d0e27936eed
Link:
https://www.unpac.me/results/4baf5f46-366a-4e91-93a9-75c8f45fb770/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/669958/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/669959/
Cape
Cape
https://www.capesandbox.com/analysis/69338/

Comments