MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b
SHA3-384 hash:	401031844b588da259aad8efbbf586199fdcc114cb441e73f8e58ce26079582de5c9af1ee9767dbd72750a69423d87c8
SHA1 hash:	90714d64915eb545267282face2a810d81a1c39d
MD5 hash:	823b238b9634e9f5cec3e340e55b0831
humanhash:	lemon-avocado-aspen-idaho
File name:	STMTCMB100_20230501.EXE
Download:	download sample
File size:	175'104 bytes
First seen:	2023-06-06 08:08:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	3072:TUexiOz3YCn5wUA0TSqCReP91qZYQuemPhABpy9FAeRqNWlc:7IYS8QuxPhA3eRqNE
Threatray	114 similar samples on MalwareBazaar
TLSH	T170045AA55B504A63E2AC4B3BA8EF05004FB1ED01686AE34A59EC71F90E33F75750D78B
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	f2d1b29c8ca6c4f8
Reporter	cocaman
Tags:	exe

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

260

Origin country :

CH

Vendor Threat Intelligence

ANY.RUN

Malware family:

n/a

ID:

1

File name:

4c155a4b5c7a7e379b3642a1048a4864

Verdict:

No threats detected

Analysis date:

2023-05-28 21:09:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1f79f96c-1305-4a59-8967-c9ad0e3100a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/396000/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.85211.21619.4395.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Sending an HTTP GET request

DNS request

Sending a custom TCP request

Using the Windows Management Instrumentation requests

Creating a file

Launching a process

Forced system process termination

Deleting a recently created file

Creating a process from a recently created file

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Link:

https://www.filescan.io/uploads/647ee9a08bd2cb19a50fe434/reports/357d80d2-42d5-4608-8abe-944620f64286/overview

Hybrid Analysis Win/malicious_confidence_70%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Suspicious

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/2f86f303-ea12-4d33-8d3a-f9dc277ccd02

Joe Sandbox malicious

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1249353

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Uses the Telegram API (likely for C&C communication)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b/

ReversingLabs TitaniumCloud ByteCode-MSIL.Trojan.Malgent

Threat name:

ByteCode-MSIL.Trojan.Malgent

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-26 20:16:29 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

16

AV detection:

19 of 24 (79.17%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6mw3giovda74sdcvy3ttgffk7jdoss4ljazxa2fwqqgvtksesj5q._file

Threatray malicious

Verdict:

malicious

Similar samples:

4a8da72abff64bcf80a2500077504588b720180b7694203bdb2434fa075fa7fa

65bea8ecbc22a05fe6cdd7108d9859e22de0a6796c7597ff299e4baf0dde04ad

6a019592f49db789478da1f5a63e673824a8bffacff9f99c5528072fb3b95ba1

965a58fe4566f227649c691d1c3d7c4e3f3f53af2b377d09a5837018a230c811

9cb4357e2a87559617f3adfcdcfe5dba5f02de53d9d7acd8cc5415bbab703e65

a7496f64d8f6fedf5d7684e9b073afc39f7f0254ca3a35de6383445a9235329e

afb6ebaef93a9f20bc3e52580cdcd0ca4558dc8307485d1b7c52380a686680fe

cfe0ce3795f3c45d3945d05c010f35e08e42036045e41aa3cf63cb1fb32d2ca6

f1b80af506aaf5f0f42514a80a0e5a9828b59a567337554983532308ab3a996f

+ 104 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/230606-j1421sdc5x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Checks computer location settings

Executes dropped EXE

Downloads MZ/PE file

UnpacMe

Unpacked files

SH256 hash:

f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b

MD5 hash:

823b238b9634e9f5cec3e340e55b0831

SHA1 hash:

90714d64915eb545267282face2a810d81a1c39d

Link:

https://www.unpac.me/results/7c924cb3-5880-48d5-aa15-0d0b59475223/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 270861db0cd0f712b034a62e1049ce6c2c46ccccac61c62d98e63d22a2ea5b96

exe f32db321d5183fc90c55c6e73314aafa46e94b8b48337068b6840d59aa44927b

(this sample)

  

Delivery method

Other

  

Dropped by

SHA256 270861db0cd0f712b034a62e1049ce6c2c46ccccac61c62d98e63d22a2ea5b96

Cape

https://www.capesandbox.com/analysis/396000/

  

Dropped by

MD5 4c155a4b5c7a7e379b3642a1048a4864