MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff
SHA3-384 hash: 2d0361bc1942c46155f43d12c3df4453825c92f29c59d56ea1c9b09831febcb7e01de9af40f8905b33cf14dcf6ad453c
SHA1 hash: 4219943320a7f291a4da37aed89bce5a4a09e250
MD5 hash: f91db36135a994d00b92ec2b1be0fca9
humanhash: delaware-low-robin-echo
File name:f91db36135a994d00b92ec2b1be0fca9
Download: download sample
File size:3'174'912 bytes
First seen:2023-08-25 22:57:03 UTC
Last seen:2023-08-25 23:35:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:mwOiIXJQSGd77+om1nVr6AZxPbxlhqhMKucCuTOgVrp7vRo6JE3CGiiFlENhh4xM:mT5af+tF6UxPFlQ+KdnESGNFe4xLafv
Threatray 2'725 similar samples on MalwareBazaar
TLSH T1FFE523F097CC6A21CE2D8FFA4B8CB65277FE01E34AD3560A8E2B757B6D4234B8811545
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
338
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f91db36135a994d00b92ec2b1be0fca9
Verdict:
Malicious activity
Analysis date:
2023-08-25 23:00:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2d0ca9b0-3652-4b9b-a5bf-371419354e7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444805/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.22346.7580.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64e931fa7444d2eb09f19df6/reports/1ece0dee-2212-43f8-8ccf-ae5c2e5dfa8a/overview
Verdict:
Malicious
Labled as:
Marsilia.Generic
Link:
https://www.hybrid-analysis.com/sample/f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b4e0937f-bae6-4af0-8e82-23fe6903c9b5
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1297673
Signature
.NET source code contains potential unpacker
Adds extensions / path to Windows Defender exclusion list
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1297673 Sample: SikdAgLCiY.exe Startdate: 26/08/2023 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected AntiVM3 2->75 77 3 other signatures 2->77 9 DataServicesWindows.exe 4 2->9         started        12 SikdAgLCiY.exe 1 6 2->12         started        15 DataServicesWindows.exe 2->15         started        process3 file4 81 Multi AV Scanner detection for dropped file 9->81 83 Machine Learning detection for dropped file 9->83 85 Adds extensions / path to Windows Defender exclusion list 9->85 17 cmd.exe 1 9->17         started        67 C:\Users\user\...\DataServicesWindows.exe, PE32 12->67 dropped 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->87 89 Writes to foreign memory regions 12->89 91 Injects a PE file into a foreign processes 12->91 19 cmd.exe 1 12->19         started        22 RegAsm.exe 12->22         started        24 RegAsm.exe 12->24         started        28 9 other processes 12->28 26 cmd.exe 15->26         started        signatures5 process6 signatures7 30 DataServicesWindows.exe 5 17->30         started        33 conhost.exe 17->33         started        79 Adds extensions / path to Windows Defender exclusion list 19->79 35 powershell.exe 18 19->35         started        37 conhost.exe 19->37         started        39 DataServicesWindows.exe 26->39         started        42 conhost.exe 26->42         started        process8 dnsIp9 95 Writes to foreign memory regions 30->95 97 Adds extensions / path to Windows Defender exclusion list 30->97 99 Injects a PE file into a foreign processes 30->99 44 cmd.exe 30->44         started        47 RegAsm.exe 30->47         started        49 RegAsm.exe 30->49         started        57 8 other processes 30->57 69 192.168.2.1 unknown unknown 39->69 51 cmd.exe 39->51         started        53 RegAsm.exe 39->53         started        55 RegAsm.exe 39->55         started        signatures10 process11 signatures12 93 Adds extensions / path to Windows Defender exclusion list 44->93 59 conhost.exe 44->59         started        61 powershell.exe 44->61         started        63 conhost.exe 51->63         started        65 powershell.exe 51->65         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff/
Threat name:
Win32.Trojan.Synder
Create hunting rule
Status:
Malicious
First seen:
2023-08-25 22:58:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ov2tdgvhry5jvpjc7u6d7kd4pnwdndmlfqq5352iw4mqhz6nd7q._file
Verdict:
malicious
Similar samples:
06408113ecebbf603255fb28db23c3dce8feff08089fdf626ae2d59edd72cddc
27e4134c13c4d29e345e79a9aa6a14498b048ae3877e01a6dd87c122aa89f54b
4b7de449a471b14bba4bf7063c0808cba03a74a789d83b6993938fbbe5bd1817
7be497fad30daede2fd7601f09ac79fbe2ec35bec5923e80f321dc30ac606457
8ba72f675acf5bc12805d4fff0bda437ea419d15e4237c916554a7f7df1b0b36
ae025809e03a89496d161b722b94d9ce5eb1f0bb74fd8c814fc82a9eac757c3f
aeba12133f15b8a33a8ee0ed0622f2c54f1b53e93b46f829fe6e9d518daf49f2
d18e505ce073d9d492f5183f342fd24f306d61cd1bc7dc92e68d265eddc9d276
+ 2'715 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/230825-2xam4sfc72/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Unpacked files
SH256 hash:
a0c3f2817de952f05159248b89a50d41afaf7a7524892a81b43cb52b7bea79a9
MD5 hash:
fdde3fb5e01b3e64e65d319f7af916c2
SHA1 hash:
c4f6351267916b2a2f0c793b8a86198fcc6859e0
Link:
https://www.unpac.me/results/64d6110a-2d64-46bf-8f9b-3d341b3201da/
SH256 hash:
88c9ca41e88c752ad5d44e3dc92b96338cfcfcc03300780727209ef4993d08f1
MD5 hash:
2f5126adbfd9bac70aac998d1c5ff44f
SHA1 hash:
8b084194d681c767587f7a44e8a621266fbd7add
Link:
https://www.unpac.me/results/64d6110a-2d64-46bf-8f9b-3d341b3201da/
SH256 hash:
7f599f482a060f36b947b67d739050464f85570f048463d90ddded4314e55904
MD5 hash:
ae5c80ebba2e3dbf33432345948f988c
SHA1 hash:
5c4d0cccfce546313b9939029b1f5214fdeeda12
Link:
https://www.unpac.me/results/64d6110a-2d64-46bf-8f9b-3d341b3201da/
SH256 hash:
4097b1f177266f43c995e0ea007c0d1fa891481df4f7aa799ef19118226d07ac
MD5 hash:
5a0386e3641697bf49f6de6170c44a25
SHA1 hash:
1a017e7c79f09860f53c892f052d6ca96c89aa4a
Link:
https://www.unpac.me/results/64d6110a-2d64-46bf-8f9b-3d341b3201da/
SH256 hash:
f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff
MD5 hash:
f91db36135a994d00b92ec2b1be0fca9
SHA1 hash:
4219943320a7f291a4da37aed89bce5a4a09e250
Link:
https://www.unpac.me/results/64d6110a-2d64-46bf-8f9b-3d341b3201da/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3aba98cd53c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f3aba98cd53c71d4d5e917e9e1fd43e3db61b46c59610eefba45b8c81f3e68ff

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2707278/
Cape
Cape
https://www.capesandbox.com/analysis/444805/

Comments


Avatar
zbet commented on 2023-08-25 22:57:04 UTC

url : hxxp://95.214.24.244/autotask/Moriwnrn.exe