MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7
SHA3-384 hash: d895935a9b4a83442ecf631a1784e0c9bd04566c19a3249d5c753faff84c3a3d779d5fb601f6e9eae016b75f5cbad843
SHA1 hash: be3e8cc61b3474f8cef7e1ccbe76bb4525aa7697
MD5 hash: 7e26a65502e428460a76d8268a420ade
humanhash: cold-asparagus-diet-pasta
File name:7e26a65502e428460a76d8268a420ade
Download: download sample
File size:9'216 bytes
First seen:2022-12-09 05:00:47 UTC
Last seen:2022-12-09 06:28:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 96:NfYbmLKf9p3fwbo7i20DZNLE/oohd4ALcuv0D7ekYzP/PXwPZzgRVMikOphzNt:maWX1MDZCocrLc7ukYzHPXsgRVMPUj
TLSH T17B12D805A79BC331DD6AC6366C23E3500638FF818E534B6F25E8750FAC32A448E636B1
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00ca80c2c2808200 (36 x njrat, 4 x AsyncRAT, 4 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344578/
Detection(s):
SecuriteInfo.com.Trojan.DownLoaderNET.507.18010.8915.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6392c112485d8463dc40f82d/reports/4c4671ab-7a26-4258-82d7-2c555ae3f69d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Quasar RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/98ff9523-6567-4c1b-9978-ffc8a568a4fb
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1131204
Signature
.NET source code contains potential unpacker
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2022-12-07 17:57:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5466zm336fsevx7so3e4pnvkilszpgdns3luvpyn3b2xymgcitdq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221209-fnkk3acd43/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b84cf3a-0cc3-4905-9c01-0ee0755cf752
Unpacked files
SH256 hash:
ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7
MD5 hash:
7e26a65502e428460a76d8268a420ade
SHA1 hash:
be3e8cc61b3474f8cef7e1ccbe76bb4525aa7697
Link:
https://www.unpac.me/results/33e1fe0b-887d-4059-bb6a-70201a323d59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ef3decb37bf1644adff276c9c7b6aa42e597986d96d74abf0dd8757c30c244c7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2452114/
Cape
Cape
https://www.capesandbox.com/analysis/344578/

Comments


Avatar
zbet commented on 2022-12-09 05:00:49 UTC

url : hxxp://23.94.231.161/119/vbc.exe