MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952
SHA3-384 hash: af8ea9229bf155f6440ac853453f85e817a8b1e0d754d2f5281c78cff8767def9826dc246f6dc2fc95110527e5454430
SHA1 hash: bf8be8e409185942dc328f6ce60410fae6c8a3e8
MD5 hash: ca59ffd2be3593bd0dce304a72482575
humanhash: robin-queen-iowa-red
File name:VWR REVISED.pdf.exe
Download: download sample
File size:1'614'848 bytes
First seen:2021-04-22 06:12:49 UTC
Last seen:2021-04-22 07:19:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:xyNmwRRRRREWk1fv+kwZlPOaN7HNliikZq8CF4/31CffrzRk8TZKXyVAusZgBnqp:2hRRRRRFk1+N5l9t4fsfjRKimUnq
Threatray 4'441 similar samples on MalwareBazaar
TLSH 4875D181B2A5C8AAD51722F0D897F4F422A17D45EA22911F359FBE1F79B33521093F0B
Reporter theDark3d
Tags:malware zmutzy

Intelligence

File Origin
# of uploads :
2
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VWR REVISED.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 07:29:20 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/d843d589-2adc-4ec6-9db5-4d9ce031302b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143526/
Detection(s):
SecuriteInfo.com.UDS.Trojan-PSW.MSIL.Coins.gen.26863.9432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692514
Signature
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395197 Sample: VWR REVISED.pdf.exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Detected unpacking (creates a PE file in dynamic memory) 2->40 42 Yara detected StormKitty Stealer 2->42 44 6 other signatures 2->44 8 VWR REVISED.pdf.exe 3 2->8         started        process3 file4 24 C:\Users\user\...\VWR REVISED.pdf.exe.log, ASCII 8->24 dropped 11 VWR REVISED.pdf.exe 1 18 8->11         started        process5 signatures6 46 Writes to foreign memory regions 11->46 48 Allocates memory in foreign processes 11->48 50 Tries to steal Crypto Currency Wallets 11->50 52 2 other signatures 11->52 14 AppLaunch.exe 15 3 11->14         started        18 AppLaunch.exe 2 11->18         started        20 InstallUtil.exe 11->20         started        process7 dnsIp8 26 icanhazip.com 104.22.18.188, 49715, 80 CLOUDFLARENETUS United States 14->26 28 api.mylnikov.org 172.67.160.130, 443, 49717 CLOUDFLARENETUS United States 14->28 30 207.189.1.0.in-addr.arpa 14->30 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->54 56 May check the online IP address of the machine 14->56 58 Tries to steal Instant Messenger accounts or passwords 14->58 32 104.21.9.139, 443, 49754 CLOUDFLARENETUS United States 18->32 34 104.22.19.188, 49753, 80 CLOUDFLARENETUS United States 18->34 36 2 other IPs or domains 18->36 60 Tries to steal Mail credentials (via file access) 18->60 62 Tries to harvest and steal browser information (history, passwords, etc) 18->62 22 WerFault.exe 20->22         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 05:54:33 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7seyd65luvunerqxirjjhjdfuna4wkwdavpizuu4lows5ypwxfja._file
Verdict:
suspicious
Similar samples:
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
d814af14bc2fb8e5a66fd36a327eaadaea29269967ed6af99dc7c9ff3f7b8f28
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
+ 4'431 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210422-jqp7551fp2/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc8981fbaba568d24617445293a465a341cb2ac3055e8cd29c5bad2ee1f6b952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143526/

Comments