MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50a57ceaa2112a0aab709769501b2a09db7786f5c67d8d61d07c67a2b25389f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50a57ceaa2112a0aab709769501b2a09db7786f5c67d8d61d07c67a2b25389f7
SHA3-384 hash: bbb88ae736f14b8420e416120d53b9d9b390f2a45971c3bddbe8c47292394f622b9da74ed631da85ce350af261bfb576
SHA1 hash: 3636770766116af911e93b713c8b6cf7deab4f03
MD5 hash: d61b5a065d2927c26bb714a434bab07e
humanhash: virginia-fourteen-mexico-winner
File name:Payslip.exe
Download: download sample
File size:365'056 bytes
First seen:2020-08-05 11:43:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/akZWGYlDhZ//qtSMyw/yM52SKidP3Z6c7B9Aqk:/akKjZASMyu52yN3Z6cl
Threatray 708 similar samples on MalwareBazaar
TLSH D274BF3975464C0CE95EC2B468B4D9C23B61624A3FC58A2FA4CF93CC7F0286F7B1655A
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server0.ihswt.com
Sending IP: 142.11.236.209
From: "Per Te Corporation" <sales@ihswt.com>
Subject: Payment Advice
Attachment: Payslip.rar (contains "Payslip.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39477/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/411035
Signature
.NET source code contains very large array initializations
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50a57ceaa2112a0aab709769501b2a09db7786f5c67d8d61d07c67a2b25389f7/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 09:01:42 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcsxz2vccevavk3qs5uvagzkbhnxpbxvyz6y2yoqprt2fmstrh3q._file
Verdict:
suspicious
Similar samples:
0c92c000cf6c2379961f35355527b1886d053245d90a584d8d7191bcb6ebccb6
117dfe206b81a8a8f4538a70d46e6d0366367219318ff971b5039fbfc0963234
1fe24761cfcb48d6d3a4f1ad9d02c2429c7f567fda2bda78f5d12c89717c6285
3458232b533e946c63311cd8241c2a390868950d89c3f5e3aaac3f2413c9b82a
384492c2e1e40aeabc868eb7c83065f9b6089c2bb7f5f70555638c168fee3db2
73b89fc45543835bfcd911b95e718168d1c24da61e87a916bee8a48f21d29eeb
89b4121aae370dd8b644fc0e426e24d17087b25e1646aaf02e56b147627efd16
91433fed32b520cfc98adb3cd6bae0a973117440474e47eff440bddb37262287
a9d6e04e7b2eeeb893499488cd39857dd3e48a993d41cc478ba8f654f820007a
afe4edd3d00f95f9dbab6934ae1eb0a7354dc1f950182a27774ece0134a0166b
+ 698 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-b5mm4qsj8e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50a57ceaa2112a0aab709769501b2a09db7786f5c67d8d61d07c67a2b25389f7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 496848989a018c073ecd81109f5624c793719e607c13f11f2c63617a8c8d3a0e

Executable exe 50a57ceaa2112a0aab709769501b2a09db7786f5c67d8d61d07c67a2b25389f7

(this sample)

  
Dropped by
MD5 3d2dcd4584611759e9968b7b2f48f9d2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39477/
  
Dropped by
SHA256 496848989a018c073ecd81109f5624c793719e607c13f11f2c63617a8c8d3a0e

Comments