MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 46f8fc3fce1ea9a75ddf3756a7bcdd1fea6b5d86717dfef472a4177d4bb8ab8e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 46f8fc3fce1ea9a75ddf3756a7bcdd1fea6b5d86717dfef472a4177d4bb8ab8e
SHA3-384 hash: d89989d93913736093f5f03013e8ebb5d5e22109278d02ef53c91dd549000a4a8cc76e0e8718e0dd17964d9ec4939e1e
SHA1 hash: 7f6603e96f66fdb4357150da32bd65af56c412cd
MD5 hash: 53e7e3ee6ac3368dc2a938721ad253a7
humanhash: oklahoma-edward-helium-jig
File name:AWB 6059455463.exe
Download: download sample
File size:1'455'616 bytes
First seen:2020-04-08 10:07:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:XCdxte/80jYLT3U1jfsWavxz1cYMzfRB5t1T/rQE5ytVsixVQ:mw80cTsjkWavnIzNtB/rx5yn0
Threatray 890 similar samples on MalwareBazaar
TLSH E165D02273DDC371CB669173BF6AB7012EBF78610630B85B2F980D7DA950161162DBA3
Reporter c_APT_ure

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-04-06 23:53:26 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i34pyp6od2u2oxo7g5lkppg5d7vgwxmgof6755dsuqlx2s5yvoha._file
Verdict:
malicious
Label(s):
pony
Create hunting rule
Similar samples:
22cb196542d83d6a2fece818c7fc714bdfb6daf6f71ffc8ace80e0e9d5c7cfde
23e3757121ff1a0c053d2dc66651ad8e2152373724a8091c56a7fae203401cab
40bcf1b92cac08e72eb025659bb892a41926ebd655f448ff5544ece312986987
49f23a6aa07ad1617e09d06680a7e2544ba8daa9295285405b7c82ab96b8a335
5623df29bdeb9756ab512f3c77dd11725878939a0b8d98726798d8604ab60dfa
82c531ee47fd52c78ed90b259be7908208ae6657a75643fce70df85eb0cd64a3
9026e9b714998846a26087ed7f5a276b1399204a1e34d469571a7301ce720931
98adccc8a599f53904c5cd22c7398d6b692c642807cab71f1ab6d2dc65e1c5a5
e4b839be39665555c0637a45d7835cf5aed0633b9d3b3c72b0c3710555cf2eb0
eadde88c8f7d7dcd4174654c77714475743d46b6314f56790e04da399f62f878
+ 880 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 46f8fc3fce1ea9a75ddf3756a7bcdd1fea6b5d86717dfef472a4177d4bb8ab8e

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CopySid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::GetAce
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileExW
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::CreateFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments