MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d
SHA3-384 hash: 7bb04ac8909c6fd0aa521f77534b8d7ea92f98624db2c8abb414f08ce575423acb1726fba924eb1b7a82ad4d0ec63706
SHA1 hash: 7727b58cdcf3c65f1647d5afce0e93336b9540fe
MD5 hash: 9eb93837e18761478692e10a6346f0eb
humanhash: sierra-butter-carolina-mars
File name:ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d
Download: download sample
File size:1'185'280 bytes
First seen:2020-07-06 06:38:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 24576:5AjZnfIi/wS2BRLj6BfBmBD5ON73fRZ46+yg5U8YWnV:5AjZnfIrRLEfB8QxvbKOWn
Threatray 12 similar samples on MalwareBazaar
TLSH F5458C527BC8CF13D02E13B254EF041C4BFC82DA97B2DB5B1E9864E56D923226E491DE
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20865/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% directory
Launching a process
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Connection attempt
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef72449dd56a1628cc56a50809c914fef2b5a59ca51b06e78e1c822d8938252d/
Threat name:
ByteCode-MSIL.Backdoor.LightStone
Create hunting rule
Status:
Malicious
First seen:
2020-06-28 06:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
52e86edaba718d1876ad5fb921a189e705cf3a72887c63db49ea9faf8e85ea7e
674cac26b5ee006a476669c6857e24a8187ef94945d521c8bbe9069ec74494ba
80b0c19bc7b0f30f3f6ebcef118f54efca43e46acd327dde7a4ca97a257b4c7b
bc742c33c446a25e6482c4209436088415d5c89a7f8ab66f37f16006d62344ac
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
f9b7ef320dd7f76be9bdf12f14f0875a9f52165b989376cd1f2e2d23cdb52fe5
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200706-6ynvhfa5tn/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20865/

Comments