MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
SHA3-384 hash: fef8587f5e9084adfd05f76c939e941346aa87e32929c5493a866025946d87224e4082c323a1af737f1b91250aa6728d
SHA1 hash: e2180bf4b9783d42d396826fc25ff8f9394cd430
MD5 hash: 259f06fcdb971f606d239b3178110981
humanhash: speaker-comet-lake-venus
File name:f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
Download: download sample
File size:5'068'344 bytes
First seen:2022-02-16 23:12:30 UTC
Last seen:2022-02-17 01:07:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:HwV7e4UdEmFoxt6LT/cZv17kbW6PaxjAzW0q0Myqi5jCeazHTL/HR85zA:HwVAzcZdYbW6yxUz40My5jCe0HP
Threatray 2 similar samples on MalwareBazaar
TLSH T1F436F12B39C305D4C0184E79D27D94E963F1668B2736AFAF304653E8CE1262B7F1B166
Reporter Arkbird_SOLG
Tags:dropper exe Lorec53

Intelligence

File Origin
# of uploads :
2
# of downloads :
664
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff.exe
Verdict:
Malicious activity
Analysis date:
2022-02-16 22:26:34 UTC
Tags:
loader
Link:
https://app.any.run/tasks/6f6480df-ff82-446d-af43-1f5312c8744c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/242090/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.14165.19031.17136.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a file
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Program Files subdirectories
Creating a process with a hidden window
Launching the default Windows debugger (dwwin.exe)
Blocking the Windows Defender launch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated overlay packed update.exe
Link:
https://www.filescan.io/uploads/620d8504ac8ad0468b48e13a/reports/b4f8833e-dc9d-4b6d-958e-7fbb8122fea9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/10436156-b115-4d79-b4c5-8b4d2e114273
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/935254
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 567732 Sample: e992RAmWwJ.exe Startdate: 07/02/2022 Architecture: WINDOWS Score: 84 45 Antivirus detection for URL or domain 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 .NET source code contains potential unpacker 2->49 51 3 other signatures 2->51 8 e992RAmWwJ.exe 5 2->8         started        process3 file4 33 C:\Users\user\Documents\Kmspkk.exe, PE32 8->33 dropped 35 C:\Users\user\Desktop\ChromeSetup.exe, PE32 8->35 dropped 53 Drops PE files to the document folder of the user 8->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->55 12 ChromeSetup.exe 74 8->12         started        15 Kmspkk.exe 1 8->15         started        18 e992RAmWwJ.exe 8->18         started        20 e992RAmWwJ.exe 8->20         started        signatures5 process6 file7 37 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 12->37 dropped 39 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 12->39 dropped 41 C:\Program Files (x86)\...\psmachine_64.dll, PE32+ 12->41 dropped 43 65 other files (none is malicious) 12->43 dropped 22 GoogleUpdate.exe 12->22         started        57 Encrypted powershell cmdline option found 15->57 25 powershell.exe 3 15->25         started        signatures8 process9 file10 29 C:\Program Files (x86)\...\goopdate.dll, PE32 22->29 dropped 31 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 22->31 dropped 27 conhost.exe 25->27         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-02-02 14:07:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
795
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
59120af2ca9c8bc1176a4dc543135c7f0629682d73cb086c97117befa7003388
7a51bf0527aa3f38ee5a9ae52c1a4f63d67d68af2da7b488f8ba7b66d665e618
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220216-27ed2seca8/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Unpacked files
SH256 hash:
da6ed6962cc77ce1da046eface85c130c152cafe466f086114156cfefac43647
MD5 hash:
38850003106c7b14581b7b3932d8785c
SHA1 hash:
c94c3985bc7efa49645fa6def4c11d100f722460
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
523bbb9352f182164bf098999ce87c299b2b4aeecc01153b20b93ef93627d30d
MD5 hash:
df0f36c414048fb8c9e245ed176f79cf
SHA1 hash:
be2abb573b7ad0156c0731615cc47296738c8c9d
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
855d2b038baccf199c33489aacfb46a1558381c00566a628a0f655db79998be7
MD5 hash:
5c838483b106b8c20f7386e63f0dffc6
SHA1 hash:
687dddd45e76418df4b5358ef3b39f285b9bf7fe
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
b4d25ae828d1f6e31f24923401b3b87833f96c28c9638771bb794df684adace7
MD5 hash:
ce84489221c39999b0496ed115c600f2
SHA1 hash:
b56052edc3f19569c7974ccb14eef599a9e948ec
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
ea68a1a8e790c57c019b6c8a181f131f3aa985d67f1cbd05fb49d193cb436405
MD5 hash:
70902e1418a02573b2456a01458fc0a0
SHA1 hash:
b1617cbea52f8b9b14d463db1ac401b42dca328f
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
5967c31cabc90a0ac3dc1434148bb1aad7da9a4f20eac1db7ee3f5c4594760cb
MD5 hash:
1e2541da8724393114cbd88ac6691674
SHA1 hash:
11fa89a1c1b0998518f5447fc1141040718611e3
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
373ecebfcd740da14d1fa114a15b08af91f4e2a524e1317af07e952c904890f0
MD5 hash:
7d640ef18f4fbb737fdbec6885bb1682
SHA1 hash:
a7197370dd3372c66d2da9b3f851c2801e705b43
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
7a87d4b2fc691380cb374d7109f54ee22e3f12e9fba63e7f657b7166de1febe4
MD5 hash:
94427e7094012f612bd9463e3185a50a
SHA1 hash:
a29ed2f93f1e9742ef71a3da50b69f1f5afb0750
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
bbcd1a1ebb65dbffb2b7f8e64f3b87fb2d70147f02a140ecca616d96da44e94b
MD5 hash:
d57f218b62183e3f9549e04e3d860f73
SHA1 hash:
9a3decb0e77e5575c37f76685af8e2cb6ed35054
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
d229d958b51bd309200badde9b411875965f494f087953d66ea9d2098808dec9
MD5 hash:
0c02d5ad4282115a07e225a1b933974c
SHA1 hash:
60042bf7626efc985d4d847439bae5e4ae440091
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
e036660b56e1439cf1706f557444222038a1da26190dffe5c27e9ea006cd1708
MD5 hash:
4d1b753a65eda9b108806b70e17f85d0
SHA1 hash:
4018fd3cb7f05868618be82c7498028dd79aab75
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
29decd1e88b297aa67fef6e14e39889cfd2454c581b9371a1003b63a28324d0f
MD5 hash:
ccc3750d9270d1e8c95649d91f94033b
SHA1 hash:
058f0190a58646ab1a6295eed496732e1e3f7cbf
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
SH256 hash:
f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff
MD5 hash:
259f06fcdb971f606d239b3178110981
SHA1 hash:
e2180bf4b9783d42d396826fc25ff8f9394cd430
Link:
https://www.unpac.me/results/28685ebb-52e6-4343-b7e5-9230fb7de9a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://cert.gov.ua/article/18419
Cape
Cape
https://www.capesandbox.com/analysis/242090/

Comments