MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83
SHA3-384 hash:	f8f2166f56b4205361a4f150ed0b20fd5eb5d65611b4b318d01305604a103205ce04a1b88cccd1919d642b5d47ef9e33
SHA1 hash:	c31878c82a251ea2588722c4e59a55da1ce31302
MD5 hash:	5e7a17a25c8b161bcb3eaf692713be98
humanhash:	maine-massachusetts-johnny-sink
File name:	78.142.19.172__winvps_1_com__new__text.exe.malw
Download:	download sample
File size:	461'243 bytes
First seen:	2020-03-18 19:15:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep	6144:huIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLW5ydC3yzJdhR+U16av:E6Wq4aaE6KwyF5L0Y2D1PqLW5b3axjd
Threatray	180 similar samples on MalwareBazaar
TLSH	D4A4DF963802D670C76C8DB5F45E80F305602E79EEA595BBE2ECBF4436712413B2FA58
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-48

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

Win.Trojan.Agent-6632624-0

PUA.Win.Downloader.Aiis-6803892-0

SecuriteInfo.com.PSW.Banker6.BTQY.1690.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Fareit

Status:

Malicious

First seen:

2018-08-02 16:16:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a

63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770

647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249

6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36

8a72a55d126b69bda2f37fd88050aeed02d97733f6777759b542db8a442435bc

aff4652e2ee285a5ad71717a36e215c1eb59787d74e73a763701b0a5f68751a7

b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4

ed105272dc3c77f54e7d170474afa6590a98477e6b076d7e5d1cf6c5e152319d

fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9

+ 170 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/41496/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::GetAce
MULTIMEDIA_API	Can Play Multimedia	WINMM.dll::timeGetTime
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample