MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f455b48c43367bf28076037a2d441e78f81143ea5067f144e7d5c6abb79dc73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f455b48c43367bf28076037a2d441e78f81143ea5067f144e7d5c6abb79dc73
SHA3-384 hash: 51fe690d9a03d5e4dc32a1f004bacc0c9d8ab16fd5863a714d1d3c48ccc900620f857142b54d3030ee73711094db8769
SHA1 hash: e0f9dbc2684f4cb463def29a0a5926f423abe6d5
MD5 hash: 6b117c9930c986434201b6e813a5e130
humanhash: lamp-oscar-vermont-item
File name:Final_Invoices_For_Payment_Fairmont_Shipping_pdf.exe
Download: download sample
File size:283'136 bytes
First seen:2020-06-02 08:31:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:mAaUxhNMJx1Mp15fbjebV7Nr6JD6u8w/CpLm3igJPIQqJf1oFCrL391+ondYJWPJ:faUDG3Kp1pb6VEJD6LpdVLOQVPI08
Threatray 1'935 similar samples on MalwareBazaar
TLSH 0E546B1A32CA5822C17D4233163753C19B769E463693EB1F29EC23185F3778B7B15B8A
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.cesosenintl.ml
Sending IP: 64.188.23.5
From: Fairmont Shipping (HK) Ltd. <amyhong@fairmontshipping.com>
Subject: Declined Final Bank Payment
Attachment: Final_Invoices_For_Payment_Fairmont_Shipping_pdf.gz (contains "Final_Invoices_For_Payment_Fairmont_Shipping_pdf.exe")

Unknown malware C2:
http://coroheus.ml/roksone/logs.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 02:13:22 UTC
AV detection:
17 of 31 (54.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5cvwsgegnt36kahma32fvcb46hycfb6uudh6fcopvogvo3z3rzq._file
Verdict:
malicious
Similar samples:
03858ed158440d03ed25802a74b88cc2091960e35ded3901d4d0370c88a38d9f
0592333ddc8cbc8651ba7b782a70b972e4627b1505ba9b1812a97046f0484df1
073c3d60993b41a1ea5847c06dab48a4bf4e3da87e74d26d8d51a1c11e0dae0c
08f7d226c61cc7f24dfc55909238659ddf5c09f47127f348322c2d8636cdca1c
2e043413f5c0ba21ec762bb6007cf8fbb93c7dc25eb4bcd03d276d128f310cfe
5303d0b00592274902d1bb42486dced975ac201463869494cb48a1c8c41e95ce
6d415497a3d0845048c1ccafb82bf70283dd6976dbabb8f1cf639b9780571a40
7765882da3fa82551473e15f93716036e185b9d88f153fbb1566897dc0f52673
7fbbc53861d27c037953d846e4726b3e2f0a1a1b2508128ee400b138aeb1f3ce
e6628501ee0344c1e6c7adc92944f5ddc7c784c1ac6278bdd7b66164b01707d3
+ 1'925 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet persistence spyware
Link:
https://tria.ge/reports/201109-6r51ldt8ea/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip def66c779922c315bf4bf0e9d872bc1a1204407f7e17d3c0a7a9572ea0acbf9f

Executable exe 0f455b48c43367bf28076037a2d441e78f81143ea5067f144e7d5c6abb79dc73

(this sample)

  
Dropped by
MD5 4dc99d6b5dbf6825d5831bb8c66fe2ba
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 def66c779922c315bf4bf0e9d872bc1a1204407f7e17d3c0a7a9572ea0acbf9f

Comments