MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172
SHA3-384 hash: e2ffb34a9e708d2edf6d86f50b9107f51dd3cf3c168508a88f5f7ed5135f287a811d051c0bc28a0d2831d0773b1bd97a
SHA1 hash: b74c63549416dd5756c2bc75cfc0743ddfe925fa
MD5 hash: 36a1f9ebb9147ae271bfc11b3594a282
humanhash: wisconsin-tennis-romeo-fifteen
File name:36a1f9ebb9147ae271bfc11b3594a282
Download: download sample
File size:121'200 bytes
First seen:2021-10-22 21:33:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 1536:66zs2Tw0lZ0p71gwumR5e6kE4+0PvsFvmOw38ABVGKPP9ey+V9DkYdWLnudb7UfN:pYaagwumRE6Q14vmOw38a9Mm
Threatray 173 similar samples on MalwareBazaar
TLSH T1FEC3F17897D88637DCFB6F3298A5D702A730A702BC53CB2F85C881960D9325259F179A
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
403
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199529/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.29223.10952.17820.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a service
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file in the Windows subdirectories
Unauthorized injection to a recently created process
Adding exclusions to Windows Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/61732e4cdb358dd15ed676ab/reports/426c0bcc-8c3c-4a4b-b74d-2de14a65a242/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7a20f3d-9b6e-41f2-beb2-101c5656ee03
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/875528
Signature
Adds a directory exclusion to Windows Defender
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507955 Sample: 2HqOMXAR1H Startdate: 22/10/2021 Architecture: WINDOWS Score: 100 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected UAC Bypass using CMSTP 2->83 85 Yara detected AntiVM3 2->85 87 6 other signatures 2->87 9 2HqOMXAR1H.exe 18 6 2->9         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 77 cdn.discordapp.com 162.159.129.233, 443, 49756, 49757 CLOUDFLARENETUS United States 9->77 71 C:\Windows\Resources\Themes\...\svchost.exe, PE32 9->71 dropped 73 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 9->73 dropped 91 Creates autostart registry keys with suspicious names 9->91 93 Creates an autostart registry key pointing to binary in C:\Windows 9->93 95 Adds a directory exclusion to Windows Defender 9->95 97 Drops PE files with benign system names 9->97 20 powershell.exe 25 9->20         started        22 WerFault.exe 9->22         started        26 powershell.exe 24 9->26         started        34 2 other processes 9->34 99 System process connects to network (likely due to code injection or exploit) 14->99 101 Multi AV Scanner detection for dropped file 14->101 103 Machine Learning detection for dropped file 14->103 28 powershell.exe 14->28         started        30 powershell.exe 14->30         started        32 powershell.exe 14->32         started        36 3 other processes 14->36 105 Drops executables to the windows directory (C:\Windows) and starts them 16->105 79 127.0.0.1 unknown unknown 18->79 107 Changes security center settings (notifications, updates, antivirus, firewall) 18->107 38 4 other processes 18->38 file5 signatures6 process7 dnsIp8 40 conhost.exe 20->40         started        75 192.168.2.1 unknown unknown 22->75 69 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->69 dropped 43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        51 conhost.exe 34->51         started        53 conhost.exe 38->53         started        file9 process10 signatures11 89 Adds a directory exclusion to Windows Defender 40->89 55 powershell.exe 40->55         started        57 powershell.exe 40->57         started        59 powershell.exe 40->59         started        61 3 other processes 40->61 process12 process13 63 conhost.exe 55->63         started        65 conhost.exe 57->65         started        67 conhost.exe 59->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172/
Threat name:
ByteCode-MSIL.Trojan.Heracles
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 21:34:05 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1feda728feb0187e19e099ddfcb542c608b3ec67149592520c1515bc6d3ada03
278602396c9f613328746aa33d0fa09d0aac466c68ca349ec0d8193d664aef35
4465deaaeff5c68689f14af3d9d27e67158fed1300c72d193b6f6c51b4ad69b3
54ff8bf201c18be4c5685d5e80669d1aa817063c9a4a10d6a880c460fd0adf93
9e614b7116a337119dc6f8c32722859fc862f485bc0169c66ad958b63744ceaf
9f988a3199e626f789a99578c1c69f0ccd3e13d7c0d1033c01270cabf7b61de4
a58cf7753cdff434e81e0163ec97f8e1a8b32c80ddfa7cbf021778a759f78842
d7b59654644c399eaf13d7460b928ebf8f94bfd9e97e4a135ef005719e4eb18b
ed105f2c43643335bcaeb304c932a5d484c4ecca3ce992f11c79fefa1be250d9
+ 163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/211022-1ercgacbb9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Adds Run key to start application
Windows security modification
Windows security bypass
Unpacked files
SH256 hash:
fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172
MD5 hash:
36a1f9ebb9147ae271bfc11b3594a282
SHA1 hash:
b74c63549416dd5756c2bc75cfc0743ddfe925fa
Link:
https://www.unpac.me/results/e96d424c-762c-46c8-9da9-8cbc2e638912/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/fc8c983c7030/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fc8c983c70303955fbbf53be566a1e573a231e2d38aaeaee4ed30a064a1bf172

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1709504/
Cape
Cape
https://www.capesandbox.com/analysis/199529/

Comments