MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
SHA3-384 hash: b595fafab96a21487d2b69d97e3389f4e9c26910c1a1a47ec572f9a82816a9ca6570cc3fbffb90438e203afa7a19a667
SHA1 hash: 86d44761daf94a044554e51cfcd1a87ea30c560c
MD5 hash: b1d919dffd8784402d62faf2bed5299e
humanhash: carpet-salami-cold-carolina
File name:btc 112.exe
Download: download sample
File size:450'560 bytes
First seen:2020-10-22 06:37:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:39OFqHkhKxAfYtOoX6VQYt9A1GKZHNYPzodV:NOFqHkMx4SOoX6VQYPA1GUKzod
Threatray 15 similar samples on MalwareBazaar
TLSH C7A4F150B2AD6B72D6FE0BFA221C051683F1549FA362E3741DDB77D52593B000B91EA3
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail0.churchair.xyz
Sending IP: 159.65.99.217
From: Lily Yan<yan.chen@maersk.com>
Subject: Crypto Analysis
Attachment: btc 112.gz (contains "btc 112.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74475/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/506663
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 23:08:40 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kcixmdpv3bgzw337dpqdrmymqoq246iw7cyu6xncbxjqzeuft3a._file
Verdict:
malicious
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
4b6dff1ae0dc05464837dbf7b980789ec3eac9b15987ca2b15c46986f4d9157f
573b66612f43bd09c655707f60f7a54be3afad50a7de1bd831e26edf3359b069
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
630729fdd27776fa78d745320a153c105eeb7f40e8671515b3fd318ed4991bcb
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
9a6e3d08a19f78c4910503262e775bfeda3c3b53ea5e86e5430e1d4b4c92a6f8
9e5f987ad43b66c469e9fed02999cfb62feff01049b5f1ef33804918bead665c
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/201022-58gq2nv49s/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
MD5 hash:
b1d919dffd8784402d62faf2bed5299e
SHA1 hash:
86d44761daf94a044554e51cfcd1a87ea30c560c
Link:
https://www.unpac.me/results/86aa7a23-6740-4c1b-b407-43b564f77197/
SH256 hash:
1ff6986d629a4e4b1d01276a5c2a84a7dfa5adc9c66b363c5daaf035b77de451
MD5 hash:
c9c26bc759501565dc9722d521494b1d
SHA1 hash:
91c0be6747652c9b1ee44fe287b0cbc2e039b677
Link:
https://www.unpac.me/results/86aa7a23-6740-4c1b-b407-43b564f77197/
SH256 hash:
a422b3f60537547ed3e01edb44f3ba7fbed612e16b51bb8658416b35dd34b9c0
MD5 hash:
03455acc48f46d7e7d06efabd6e99caf
SHA1 hash:
a993ff219de00504a775457e3813a579450f194f
Link:
https://www.unpac.me/results/86aa7a23-6740-4c1b-b407-43b564f77197/
SH256 hash:
0be3bd97267ee91f3aab5f9d3a43daddfdf01a51993bca7769c42aabbe0cb092
MD5 hash:
3a0e8b78a9120313ed70eb87f1b69b69
SHA1 hash:
fdf3cdc2dbf3eca57a326a42f2b9faf762c65817
Link:
https://www.unpac.me/results/86aa7a23-6740-4c1b-b407-43b564f77197/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 462e0d8da75d74d09bffe32baa9c037cd4041aa95a3c47fe9f6e5af4b09ff25a

Executable exe f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6

(this sample)

  
Dropped by
MD5 788880e3e9a687847310ee9805df9260
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74475/
  
Dropped by
SHA256 462e0d8da75d74d09bffe32baa9c037cd4041aa95a3c47fe9f6e5af4b09ff25a

Comments