MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e6d502d455f4d1db45f465ff69d1d2f53a78afffbda8e6bc2b12c99ca012926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash: 6e6d502d455f4d1db45f465ff69d1d2f53a78afffbda8e6bc2b12c99ca012926
SHA3-384 hash: 8dbb7a77debc7ce26b86b6f0d52f6ee253efd5903cefd52bf40aedee6deeb83a093df052ed6a2a350eb3fc71b2dfb4f8
SHA1 hash: 6067e82bf295eb76c415a5c4910ea578bae96933
MD5 hash: 05dea597f5e2fdaf7dd91dc2732eb54b
humanhash: don-papa-finch-alanine
File name:Proforma Invoice.exe
Download: download sample
Signature n/a
File size:420'352 bytes
First seen:2021-09-28 06:32:16 UTC
Last seen:2021-09-28 07:33:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (23'043 x AgentTesla, 5'566 x Formbook, 3'013 x Loki)
ssdeep 6144:iubE9UmzhN23zG8KGBAOq+hKqr7tGUAI/njChopL3Woqz2ss1SJMllo:azhYz/Ni+hBr7IUAILVzAsvlo
Threatray 6 similar samples on MalwareBazaar
TLSH T1A89449DA1EB457CBFB5E01F8F9782B8813BA9024E59BF3C2CA45B0B351367644920DD6
Reporter @cocaman
Tags:exe INVOICE

Intelligence


File Origin
# of uploads :
2
# of downloads :
86
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
Proforma Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 06:45:52 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491978 Sample: Proforma Invoice.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected AntiVM3 2->21 23 .NET source code contains potential unpacker 2->23 25 4 other signatures 2->25 6 Proforma Invoice.exe 3 2->6         started        process3 file4 17 C:\Users\user\...\Proforma Invoice.exe.log, ASCII 6->17 dropped 9 Proforma Invoice.exe 6->9         started        11 Proforma Invoice.exe 6->11         started        13 Proforma Invoice.exe 6->13         started        15 2 other processes 6->15 process5
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-09-28 06:16:01 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
181850289a0c15b3d56debe524e8c932b2436ebdb7584162dbd0ba458a4ca328
MD5 hash:
1dfacc0634ea6d744d785ad5ff29a9eb
SHA1 hash:
6254de532c9a0a1cabf41f91a15f02f62928d3a2
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
SH256 hash:
35e5e7512012efa0866743813b1016df3e990e39e23eedf2a9f5ae62410e8430
MD5 hash:
1edbb53f7c37b2d6371dedef65d51734
SHA1 hash:
02e0dacce35b97504348064d93a49a9cb16fb6f0
SH256 hash:
6e6d502d455f4d1db45f465ff69d1d2f53a78afffbda8e6bc2b12c99ca012926
MD5 hash:
05dea597f5e2fdaf7dd91dc2732eb54b
SHA1 hash:
6067e82bf295eb76c415a5c4910ea578bae96933

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 6e6d502d455f4d1db45f465ff69d1d2f53a78afffbda8e6bc2b12c99ca012926

(this sample)

Comments