MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e05d02584918e7530cc38704666f8c551eb6f58f2853bfd3260500b642135da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e05d02584918e7530cc38704666f8c551eb6f58f2853bfd3260500b642135da
SHA3-384 hash: b7da08461d575776ee4fe90b18f1e753756c242bd4b2737ac72e18c3dd76c248b142ad6bad59dccae50e5ab83f7040c7
SHA1 hash: 21c41b366aa476184ab9b2abda259e46d4603106
MD5 hash: 4f1669a84bf1c5a30d42bd1178131d97
humanhash: equal-oven-eighteen-oklahoma
File name:Campaign Data logs for invoicing.scr
Download: download sample
File size:301'568 bytes
First seen:2020-08-17 18:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:tCuqzvbO6TF9jOb690EgulO1Gt9G2+x8PCxorABA9p/r7EwuH0OKzD:Dobn5wVEhO1GtcsNrPX//uUOU
Threatray 37 similar samples on MalwareBazaar
TLSH FE54D0167227EA45D2AE09B284E35200452CEF0717ABC323FC9A310D6AB2FDE555F6D7
Reporter abuse_ch
Tags:scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: bmail.inbox4.net
Sending IP: 35.154.151.245
From: Anurag Kodan <pallav.hspsms@gmail.com>
Subject: Campaign logs for invoicing
Attachment: Campaign Data logs for invoicing.rar (contains "Campaign Data logs for invoicing.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file
Moving of the original file
Enabling autorun
Result
Threat name:
NetWire
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/434625
Signature
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Machine Learning detection for sample
Moves itself to temp directory
Yara detected NetWire RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 269685 Sample: Campaign Data logs for invo... Startdate: 18/08/2020 Architecture: WINDOWS Score: 64 32 Yara detected NetWire RAT 2->32 34 .NET source code contains potential unpacker 2->34 36 Machine Learning detection for sample 2->36 7 Campaign Data logs for invoicing.exe 8 2->7         started        process3 file4 26 Campaign Data logs for invoicing.exe.log, ASCII 7->26 dropped 28 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 7->28 dropped 38 Moves itself to temp directory 7->38 11 cmd.exe 1 7->11         started        13 cmd.exe 1 7->13         started        15 cmd.exe 2 7->15         started        signatures5 process6 process7 17 reg.exe 1 1 11->17         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        signatures8 30 Creates an undocumented autostart registry key 17->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e05d02584918e7530cc38704666f8c551eb6f58f2853bfd3260500b642135da/
Threat name:
ByteCode-MSIL.Trojan.SmartAssembly
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 12:51:02 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyc5ajmesghhkmgmhbyemzxyyvi6w32y6kctx7jsmbiawzbbgxna._file
Verdict:
unknown
Similar samples:
01bc78a6f3181017aa8777831c018ab764d19a01dcc20d0dc7337954d31e2f59
24a4ff1caedd0ba9221602b5ea22e6d14c5f8c15f8dfc30c109b0e8e3cd96132
4fc3df504d06a3814ed4a4db7d03616a0862992e20fbcde244a29ee84c69499e
5a60e205d770ae41f763d3a35d2a97533f8a42ad2c12367efb0ad6abd1a80a1e
8a5ae789ab7a7fe7d2d2bd23a633ae2d4a06b8b3dd93d7ea716847209067a92d
9b05b77b3afaacbcbf23eadad8866e55c4d21d007e5107e9f30c0d93b51fd0b4
c470d48e9fa9a6f4f9b957fe55ca51ffb5b70eb235e9f5865c9784ced3ad0231
e0dd9126e9038ec946d016833bad57afb1d3eb06e453ec8a0bdd60661e6a3da2
e2934cd2d40fbf0b96782670d14b0c61b7a947af8be36580fb545613b6414967
f3c6e6f5bf996841cc3777b0b3769e2092e5a85ad110b46764b45c3681793874
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200817-vzqahepbxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e05d02584918e7530cc38704666f8c551eb6f58f2853bfd3260500b642135da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar b745d669d0eebc22f1c8455252bae35587a9585f4a8c71944ac193aa82d367e0

Executable exe 5e05d02584918e7530cc38704666f8c551eb6f58f2853bfd3260500b642135da

(this sample)

  
Dropped by
MD5 3c1306a1cff5f704fedb67da392026e2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47281/
  
Dropped by
SHA256 b745d669d0eebc22f1c8455252bae35587a9585f4a8c71944ac193aa82d367e0

Comments