MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846
SHA3-384 hash:	69cf54a3a4551594507caeef35ed18e53afe777a4aa465458da98c57242ff14dd382a01d44c898d27c09ee9f9b6bd740
SHA1 hash:	5bf2a755a1afd0275a6b6907545d8b4a80cc0a65
MD5 hash:	250d52d34460604ca00617ca7ad2b8d0
humanhash:	avocado-minnesota-uranus-apart
File name:	ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846
Download:	download sample
File size:	1'537'536 bytes
First seen:	2022-07-13 04:49:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:gx0vtufKPsjpkbPwdnITPkGr9HtTwkpXDvASps9ojoU6ISv3OvSJ9QFQfrXu:gm7hzwdcsGttTwsUA0cSPaQf
Threatray	98 similar samples on MalwareBazaar
TLSH	T11D65AE62F9C2C1B2FDD515BA82FE2B371F394506632984E776C419E09AA10E275BF343
TrID	62.3% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 23.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 4.1% (.SCR) Windows screen saver (13101/52/3) 3.3% (.EXE) Win64 Executable (generic) (10523/12/4) 2.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	JAMESWT_WT
Tags:	1 exe

Intelligence

File Origin

# of uploads :

# of downloads :

255

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

0a60834e7cafde2e9ad9b99b26201af6c78520fa6c2adbed6a7a9c31810b7b64

Verdict:

Malicious activity

Analysis date:

2022-07-13 04:51:25 UTC

Tags:

trojan loader amadey phishing stealer

Link:

https://app.any.run/tasks/f14750e5-a505-4c53-aa28-d21093b65f18

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/286736/

Detection(s):

Win.Downloader.Powershell-9856919-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Creating a process with a hidden window

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

cmd.exe fingerprint greyware packed

Link:

https://www.filescan.io/uploads/62ce4efc8dab2096b9925855/reports/856c4f7d-5594-4903-a113-054d2bfd5d96/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/041975a2-289f-4bcb-8ccf-ae8ca3437c75

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1029864

Signature

Antivirus detection for URL or domain

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Self deletion via cmd or bat file

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2022-07-11 13:59:16 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 26 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=74bm2v6om73tmpfwplxh736r2tqr43yshgihfmky4h2xlzfvfbda._file

Verdict:

malicious

0b3020eb6b8360bae5958d4f8e877fe532d1c21bbaa851c364aaef0b6f67e1ac

1254eb8dd2f4b697e0bad62b9accdd5e9553e920dd131a450d742ba80844899c

1f68e889d3c4c7f8049bad4abd042fcd05e84ac96bf23d86e2e95aa8fe346593

3da7dccc0e92c7324dea07df10ba938dd21f4436e9b8dd20488517b5eff67676

5b682f3038aea6c3db35ba85a82712a1920adddd5587777742ca711dcd729757

8ae291c9a45bfe7bf3548ff2ed9f5221adf42810bcd7eca100dccb475a4b99be

8f620e963130716ac09ba5a7c75d7e7ea42ac1a4b66fc0a106e6feb40941fe23

eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9

f297f0a8651e14cf884331bc4ae10c238a6c79385741e507dc7df7c88b85beb8

+ 88 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware stealer

Link:

https://tria.ge/reports/220713-ff9j8aaban/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

9175429862866ec99ad965b69eb4185c9086240869085dfb8b15a93489d913f0

MD5 hash:

d3b12944fc6614785132d74d23a70fbf

SHA1 hash:

d890908b108c40be2ef8528310f7df79ee0c93b1

Link:

https://www.unpac.me/results/b4d29381-09b4-463e-bf06-6951f21a729f/

SH256 hash:

088d6869e848c5b2c607e9775725578ddf33c1be9c2485d80adb9bf5ae5125d2

MD5 hash:

23dbd3af02c3dd82f0e8227651f28b08

SHA1 hash:

875770d8ea7ac8f11969af0be1f628159e28a54b

Link:

https://www.unpac.me/results/b4d29381-09b4-463e-bf06-6951f21a729f/

SH256 hash:

ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846

MD5 hash:

250d52d34460604ca00617ca7ad2b8d0

SHA1 hash:

5bf2a755a1afd0275a6b6907545d8b4a80cc0a65

Link:

https://www.unpac.me/results/b4d29381-09b4-463e-bf06-6951f21a729f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/ff02cd57ce67f7363cb67aee7fefd1d4e11e6f12399072b158e1f575e4b52846

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/286736/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample