MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4
SHA3-384 hash: 33015f390034138719cabce4165e9000342e0e4fc78449f3de5cb4c4a3077d061f01a5c76ca228cc5b892624296f450b
SHA1 hash: a78d598a8d1070e1741f9cda69fed65ed5391cef
MD5 hash: d4b92819427106f192686cb5103987d8
humanhash: carpet-cola-angel-snake
File name:SecuriteInfo.com.Generic.mg.d4b92819427106f1.23338
Download: download sample
File size:2'805'760 bytes
First seen:2020-08-28 13:53:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:qR6ob9zIw1CWTVjFCbRg23wWFZbWx4I9xCDO42FjuFVfkFjiprGCpQ2XA:qR68F5VjM7S2IaKBFuF1kZcnd
Threatray 6 similar samples on MalwareBazaar
TLSH E7D52306FDA9654AEDA8883291FB94124BB08FC7463FE3076A4C3A4683317F78D17D59
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/52343/
Detection(s):
SecuriteInfo.com.Generic.mg.d4b92819427106f1.23338.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/453593
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Binary contains a suspicious time stamp
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 279167 Sample: SecuriteInfo.com.Generic.mg... Startdate: 28/08/2020 Architecture: WINDOWS Score: 80 39 donbit.camdvr.org 2->39 49 Multi AV Scanner detection for submitted file 2->49 51 .NET source code contains method to dynamically call methods (often used by packers) 2->51 53 May check the online IP address of the machine 2->53 55 2 other signatures 2->55 7 SecuriteInfo.com.Generic.mg.d4b92819427106f1.exe 1 5 2->7         started        10 VGA.exe 3 2->10         started        13 VGA.exe 2 2->13         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\VGA.exe, PE32 7->33 dropped 35 C:\Users\user\...\VGA.exe:Zone.Identifier, ASCII 7->35 dropped 37 SecuriteInfo.com.G...819427106f1.exe.log, ASCII 7->37 dropped 15 SecuriteInfo.com.Generic.mg.d4b92819427106f1.exe 1 6 7->15         started        19 SecuriteInfo.com.Generic.mg.d4b92819427106f1.exe 7->19         started        21 SecuriteInfo.com.Generic.mg.d4b92819427106f1.exe 7->21         started        57 Multi AV Scanner detection for dropped file 10->57 59 Machine Learning detection for dropped file 10->59 23 VGA.exe 10->23         started        25 VGA.exe 13->25         started        27 VGA.exe 13->27         started        29 VGA.exe 13->29         started        31 2 other processes 13->31 signatures6 process7 dnsIp8 41 donbit.camdvr.org 135.181.9.107, 3030, 49726, 49750 HETZNER-ASDE Germany 15->41 43 myexternalip.com 216.239.32.21, 443, 49727, 49751 GOOGLEUS United States 15->43 45 192.168.2.1 unknown unknown 15->45 47 Hides threads from debuggers 15->47 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-28 13:55:08 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
7faef4d80d1100c3a233548473d4dd7d5bb570dd83e8d6e5faff509d6726baf2
8bb5235e01056ce0d340a3042095fd29cb416e8f6a8843e3db9d547177fa1313
9dbd3d33f93d61659ba4cf9213ed43b694f091bd08ba634595f68576f0881fcf
ae56d57584819808e38b6b430dd066a14cc036cec568a0832de08e3f65bccc87
d12a70b8a6d3ffadc322706397e3bf624ffe8b1917b566686997f4012db0fff7
d701dbbe5d989ef6ec473fbf061f93291ad3bf8c78796fd55afca9b5ba18872c
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence
Link:
https://tria.ge/reports/200828-ns7r18lfle/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Adds Run key to start application
Looks up external IP address via web service
UPX packed file
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f86974cc3a2a1d06dcc4effe66d6e27380dd4e4e4fe254a1b88a3ea3c7e681c4

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/52343/
  
URLhaus
https://urlhaus.abuse.ch/url/445947/
  
Delivery method
Distributed via web download

Comments