MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249
SHA3-384 hash: 6bb13ccdc636605df46bd1c1d7e54f5997872d92f818aed25ae260087e9c25c011e9b3a2d478c0227fdbd41d5db7a147
SHA1 hash: d08c5c0188c8bb4e84b41bed78a805cbc0a127de
MD5 hash: 6366b461b56945be4a795ca8bd346ec3
humanhash: massachusetts-triple-robin-monkey
File name:GENTECH PRODUCT INQUIRY.exe
Download: download sample
File size:657'576 bytes
First seen:2020-07-16 18:34:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash adffce47f22050cf5b8ff3ba2e79cb3f (1 x Formbook)
ssdeep 12288:hB/aceyJY1FpCS93iLgMn4f/H2ETEktvOIpcJpWNNHCf0u1Rak+0f0FHPGyO01l0:/y1GupCSKHETwxONJPFvGyO0
Threatray 5'272 similar samples on MalwareBazaar
TLSH A2E48F72F6514837C46355789C0B93F8682ABE103D28EC867AFD6E4C5F393A139391A7
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-752572.hostwindsdns.com
Sending IP: 104.168.237.25
From: Ayman Hashad <info@adiacts.info>
Subject: GENTECH QUOTATION
Attachment: GENTECH PRODUCT INQUIRY.zip (contains "GENTECH PRODUCT INQUIRY.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26943/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/388734
Signature
Allocates memory in foreign processes
Detected FormBook malware
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 246541 Sample: GENTECH PRODUCT INQUIRY.exe Startdate: 18/07/2020 Architecture: WINDOWS Score: 100 59 www.jbmove.net 2->59 97 Multi AV Scanner detection for domain / URL 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 Multi AV Scanner detection for submitted file 2->101 103 5 other signatures 2->103 11 GENTECH PRODUCT INQUIRY.exe 1 17 2->11         started        signatures3 process4 dnsIp5 73 googlehosted.l.googleusercontent.com 172.217.18.1, 443, 49708, 49714 GOOGLEUS United States 11->73 75 doc-0o-b4-docs.googleusercontent.com 11->75 57 C:\Users\user\AppData\Local\...\Vsrufck.exe, PE32 11->57 dropped 123 Writes to foreign memory regions 11->123 125 Injects a PE file into a foreign processes 11->125 16 ieinstal.exe 11->16         started        file6 signatures7 process8 signatures9 77 Modifies the context of a thread in another process (thread injection) 16->77 79 Maps a DLL or memory area into another process 16->79 81 Sample uses process hollowing technique 16->81 83 Queues an APC in another process (thread injection) 16->83 19 explorer.exe 7 16->19 injected process10 dnsIp11 61 www.askencore.com 196.196.115.112, 49718, 49719, 49720 PACKETEXCHANGESE Seychelles 19->61 63 www.ucai-inter.com 19->63 105 System process connects to network (likely due to code injection or exploit) 19->105 23 wscript.exe 19 19->23         started        27 mshta.exe 19 19->27         started        29 mshta.exe 19 19->29         started        31 2 other processes 19->31 signatures12 process13 file14 51 C:\Users\user\AppData\...\J63logrv.ini, data 23->51 dropped 53 C:\Users\user\AppData\...\J63logri.ini, data 23->53 dropped 55 C:\Users\user\AppData\...\J63logrf.ini, data 23->55 dropped 107 Detected FormBook malware 23->107 109 Tries to steal Mail credentials (via file access) 23->109 111 Tries to harvest and steal browser information (history, passwords, etc) 23->111 115 2 other signatures 23->115 33 cmd.exe 23->33         started        37 Vsrufck.exe 13 27->37         started        40 Vsrufck.exe 13 29->40         started        113 Tries to detect virtualization through RDTSC time measurements 31->113 signatures15 process16 dnsIp17 49 C:\Users\user\AppData\Local\Temp\DB1, SQLite 33->49 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 33->85 42 conhost.exe 33->42         started        65 googlehosted.l.googleusercontent.com 37->65 67 doc-0o-b4-docs.googleusercontent.com 37->67 87 Multi AV Scanner detection for dropped file 37->87 89 Machine Learning detection for dropped file 37->89 91 Writes to foreign memory regions 37->91 93 Allocates memory in foreign processes 37->93 44 ieinstal.exe 37->44         started        69 googlehosted.l.googleusercontent.com 40->69 71 doc-0o-b4-docs.googleusercontent.com 40->71 95 Injects a PE file into a foreign processes 40->95 47 ieinstal.exe 40->47         started        file18 signatures19 process20 signatures21 117 Modifies the context of a thread in another process (thread injection) 44->117 119 Maps a DLL or memory area into another process 44->119 121 Sample uses process hollowing technique 44->121
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 16:30:59 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hdkoj2s6tmk3jurbzrtcpj5qrcsuszg75fnusfz2iw6f7elxujeq._file
Verdict:
malicious
Similar samples:
0098bf2ef8230d9bb30b451868272ffb271fe63a8c248bfc9ce569991c19f279
08b47c6d183afb72f383ced4639ba73a03d9b36f06617585b3a3d28b69d1ce9f
2a093b2213d7d589020d69e76fdfd33b441ed125664cb3247d25e9103744011c
5f09e9c7496cd8bfbb33147b3fea11791894235021e488eb17dcd582c9dae0b1
8606768cb758ba8379659f65220250ebc1c491dabd668e7f98663571419cadf2
8ce629f720939b40acc1e571be11a81967e80dd4deb2a2b2a140623d64ea008b
9a1bbd02f1dc5ae62f13a00f38067354bf8a754e72e3ebee49a8b6aaa7b7e41f
ce8ca575299e642a92b4ad5f8f766704aeece8fece132037ac902fc94b992bc8
cfc1cfcb5119cb196b34e5905578d55e2afd871f2b93f820637e6386168892c5
e5e0a549727c9af4b170b6181dd1f69f8f5bfd268ef711c27a1687face31f052
+ 5'262 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200716-76bcpm583e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 52052b4191b4785bd6dc43453882f41dbeb0731111bb2390c33ee30a15ba0bea

Executable exe 38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249

(this sample)

  
Dropped by
MD5 4f7dfc4f45b54a4d4c1a3e9724b353bc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 52052b4191b4785bd6dc43453882f41dbeb0731111bb2390c33ee30a15ba0bea
Cape
Cape
https://www.capesandbox.com/analysis/26943/

Comments