MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SamoRAT


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea
SHA3-384 hash: 8f1c74cecb5cb107f3a1c745ac2fee670b9cac625d6ddbb5ca778d7df72a82963efaf2a970e9dc422ddc925ffd8cbe21
SHA1 hash: 802803b91e9439c5bc0a59f73629d2a191e9f4dc
MD5 hash: 4bb3e58d375714e27744d106143cf61b
humanhash: fifteen-one-golf-bluebird
File name:f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea
Download: download sample
Signature SamoRAT
Create hunting rule
File size:192'512 bytes
First seen:2020-07-09 11:14:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:9YTn0nrQqXjss50c33apk1CUi+uUPjp5fOJiH6CuWpFUj6w6FWjNx4ESTtX3BUL:inW0qXjNG2KpkDPRYmw6yD49tXq
Threatray 31 similar samples on MalwareBazaar
TLSH 1C14132839EB505DF3B7DFB16FD8B8FE895AF623250A757A108203464B22E40DD52739
Reporter JAMESWT_WT
Tags:SamoRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23694/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Enabling the 'hidden' option for recently created files
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending an HTTP GET request
Creating a window
Launching a service
Connection attempt to an infection source
Enabling autorun with Startup directory
Sending an HTTP POST request to an infection source
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f434312e8ce38172180f281f6b3951879e82f42a07362f89179d91ded810feea/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 10:01:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21bde816285bdac8701e0143c1ae47f1fbee03c90b2cb3b9745740141ce7d51e
SamoRAT
22f372a62b10bd40e04174512b0251bb0a2f49d243cb45dad8c91c21557ed301
SamoRAT
25d5292a98310d54fee67972b0e8d736fcef644c5225782de4cf0c48645ae1e9
SamoRAT
54cc3426c8ad3f2d39543a8157843620af7108ea419589cc6755e77a31b96047
SamoRAT
55b8b84b624767c78a3ba733e577c4bdcd41fe9efa691725376a74077314e436
SamoRAT
571ec740451764b370c61813124b876d6bf8f0c2add56e57e7e8c00f494bc46e
SamoRAT
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
SamoRAT
939b2ae76b674d4fde311eb4374a5f0eaaf3d154a038fdd5febb84bec0734a77
SamoRAT
d6f32bc31225c5fa535140e98990618b7f0a597f8788ef5cd61b513eea4f6aca
SamoRAT
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
SamoRAT
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200709-fvcw7vfbyn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies service
Modifies service
Looks up external IP address via web service
Looks up external IP address via web service
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://business.xunison.com/analysis-of-samorat/
Cape
Cape
https://www.capesandbox.com/analysis/23694/

Comments