MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0b4a161fde3baa3c053c4b2824e8ac205d883b2b61c32cd5d2b9dcc591880f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa0b4a161fde3baa3c053c4b2824e8ac205d883b2b61c32cd5d2b9dcc591880f
SHA3-384 hash: 51fd91f82040307d298379be0dac966d5199a8dff15e54b020a0c1818181c95c7302b924a383e82b03e30535b37be1e9
SHA1 hash: 75ab80aa16db7886b82c85efbb3c58040fc09905
MD5 hash: 25980596d55bb835da4c147d6afcb884
humanhash: yellow-apart-johnny-pluto
File name:Updater.txt
Download: download sample
File size:301'568 bytes
First seen:2022-02-04 10:29:34 UTC
Last seen:2022-02-04 12:56:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:L2yGPojUytRQ1FHPDV+ByUQtYF2hEFZdqe1c6XH3R19+gaE7:KLojUy32AGtYXHdqe1c6XXJME
TLSH T15554A00AA5C8E21DC41716B309D58AD431EEBF677831961F377CFA291BB1FA27D01289
File icon (PE):PE icon
dhash icon 71d8b8e4d8e2e471
Reporter r3dbU7z
Tags:dropper exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
596
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Updater.txt
Verdict:
No threats detected
Analysis date:
2022-02-04 11:23:11 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ac5ff2ad-8df3-4db0-a285-0a614098a23a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/232966/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Sabsik.FL.Bml.12704.1259.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c045222f-9ad6-45d1-b655-4bdc1de67cd5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/934151
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Multi AV Scanner detection for submitted file
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 566626 Sample: Updater.txt Startdate: 04/02/2022 Architecture: WINDOWS Score: 60 44 tatamagicexpress.tk 2->44 64 Multi AV Scanner detection for submitted file 2->64 66 .NET source code contains potential unpacker 2->66 68 Uses known network protocols on non-standard ports 2->68 14 Updater.exe 16 6 2->14         started        signatures3 process4 dnsIp5 58 tatamagicexpress.tk 137.184.87.137, 49759, 49762, 49775 PANDGUS United States 14->58 42 C:\Users\user\AppData\...\Updater.exe.log, ASCII 14->42 dropped 62 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 14->62 19 Updater.exe 4 14->19         started        file6 signatures7 process8 dnsIp9 48 tatamagicexpress.tk 19->48 22 Updater.exe 4 19->22         started        process10 dnsIp11 52 tatamagicexpress.tk 22->52 25 Updater.exe 4 22->25         started        process12 dnsIp13 54 tatamagicexpress.tk 25->54 28 Updater.exe 25->28         started        process14 dnsIp15 56 tatamagicexpress.tk 28->56 31 Updater.exe 28->31         started        process16 dnsIp17 60 tatamagicexpress.tk 31->60 34 Updater.exe 31->34         started        process18 dnsIp19 46 tatamagicexpress.tk 34->46 37 Updater.exe 34->37         started        process20 dnsIp21 50 tatamagicexpress.tk 37->50 40 Updater.exe 37->40         started        process22
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-04 10:30:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  4/10
Tags:
n/a
Link:
https://tria.ge/reports/220204-mjtrhahcck/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Unpacked files
SH256 hash:
fa0b4a161fde3baa3c053c4b2824e8ac205d883b2b61c32cd5d2b9dcc591880f
MD5 hash:
25980596d55bb835da4c147d6afcb884
SHA1 hash:
75ab80aa16db7886b82c85efbb3c58040fc09905
Link:
https://www.unpac.me/results/69c3864c-dc50-4603-aa78-4a9f3bd9ff46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.41
Link:
https://yomi.yoroi.company/submissions/fa0b4a161fde3baa3c053c4b2824e8ac205d883b2b61c32cd5d2b9dcc591880f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fa0b4a161fde3baa3c053c4b2824e8ac205d883b2b61c32cd5d2b9dcc591880f

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/232966/
  
URLhaus
https://urlhaus.abuse.ch/url/2029919/

Comments