MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14a05f83f3f9c0b172bf0692c3684fbef701a0192a5e218ba8d123856fc1bc52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14a05f83f3f9c0b172bf0692c3684fbef701a0192a5e218ba8d123856fc1bc52
SHA3-384 hash: 107d4bbddfaea3320f4f974e61e742ac54d3db1a361c9c39b3153d95c8d5098bcd28a38fb55e0106b357631f420e1311
SHA1 hash: fe18be2e01838882e11a06f1ebe21f4343a6675b
MD5 hash: 405d4a2624f338b02bec4bc6cfcac1f9
humanhash: beer-alaska-monkey-november
File name:RQ_SIR432432_PurchaseOrder.exe
Download: download sample
File size:793'088 bytes
First seen:2020-08-14 08:11:30 UTC
Last seen:2020-08-14 09:02:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:fjF+j4VBBtcjN+utRRHqi8RUGpR5MY3HPXH:fjIYiXtPHqiGprMYP
Threatray 30 similar samples on MalwareBazaar
TLSH 72F415E3DE14B60CDD7406FB323B5B4C1E692C1DBEE59ACB1B4DF996C632A21200E552
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mailfilter.hostsailor.net
Sending IP: 109.201.130.65
From: Ms Rose<pro@autordct.com>
Subject: New Order/ ETD Confirmation
Attachment: RQ_SIR432432_PurchaseOrder.img (contains "RQ_SIR432432_PurchaseOrder.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45604/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.29814.9047.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/428904
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/14a05f83f3f9c0b172bf0692c3684fbef701a0192a5e218ba8d123856fc1bc52/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 08:13:08 UTC
AV detection:
25 of 48 (52.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=csqf7a7t7halc4v7a2jmg2cpx33qdiazfjpcdc5i2eryk36bxrja._file
Verdict:
unknown
Similar samples:
00c3032bacb17b0624f5f550e22169259a9f4c1212845cb202be466fae55aaf7
55a85320a226d58c12355a5836a77fd17fd270fefa30612da9e6a79b9f17b222
653f9230a0dfc61996a0213363c938cc629fe374f877febd3df485369d1f476a
936e09ee7971218f5d76ea7148357094990a921004add09a6b3823aafc7bfd51
9c3a4bfb0cb3da7187e39fdc53a216066058b5607bd1f1857249f7908912b48c
af9aee5b4234182ecb5acef175f3bcc12348954fd875e4a4eccf005427525e7f
c953db5455cedad0e98747749e5a6df0d5d10362831bb472ea5c023868642f01
dce254811aa1fb718c9212489cc1dfe76a579d3bb3363758188021ab6843295e
dd19bace27d42e2a34d4ec3a92671ad7c615a2eab04cf66bf4682fd604eaca11
efaba3ff05251ea102dcb4df59f6c5f23c7b7f43a471d6464850c16098c62d01
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200814-4lk7fy7jdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/14a05f83f3f9c0b172bf0692c3684fbef701a0192a5e218ba8d123856fc1bc52

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img d00325088dc8c2ed9132f1aef1068e02a8e099a01c4d2fc57bc066a1fcf08989

Executable exe 14a05f83f3f9c0b172bf0692c3684fbef701a0192a5e218ba8d123856fc1bc52

(this sample)

  
Dropped by
MD5 cc7426a100900e048235b8d7a17577b5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45604/
  
Dropped by
SHA256 d00325088dc8c2ed9132f1aef1068e02a8e099a01c4d2fc57bc066a1fcf08989

Comments