MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95fd3400d70565e8bd28da81374df780073cd2762b922059b26150a560c6aba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95fd3400d70565e8bd28da81374df780073cd2762b922059b26150a560c6aba0
SHA3-384 hash: 7cef30c93ef576479486ce6eab8eb200f28de2026dd56834620652558675ef43511002d20d2efd837ac058f601f61c0c
SHA1 hash: 604b1a514f49c1544b24aa090459d817d35877bb
MD5 hash: e6d06ae5afa72b976d79b01a41e3620e
humanhash: alaska-seventeen-hotel-minnesota
File name:Purchase Order 77809 for acknowledgment.exe
Download: download sample
File size:256'512 bytes
First seen:2020-05-14 18:37:19 UTC
Last seen:2020-05-14 19:41:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:95ytDn8h9XLi5OQS8chorjsQnDe84Uxf22dHPt:9Awh9XLisjforoQnDlHdHPt
Threatray 5'124 similar samples on MalwareBazaar
TLSH 5444D08DB21072CFC86BD87A9AA40C74EA506477430BC347A45726ED994DADBCF481F3
Reporter jarumlus

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.46214.25876.15135.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 23:08:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sx6tiagxavs6rpji3katotpxqadtzutwfojcawnsmfikkyggvoqa._file
Verdict:
malicious
Similar samples:
1158faac2f05071553e63e40809ecdd0450934aa8e372728dcabf9cedbbb5ffa
2302aa79bb34eb683a91324995a9fb366bbbe55dffb53deee00b842e75ad19c0
2a40a9e18303875b2db452783190820001c898e8374864fec29793bf43bbe401
42ef43d60efa3d2092f6d23283334bb8485569754eb1075b553be43cd8ed9c60
99d9cdc246bf28881b009ae71b1611c83397b23b5adf5b3746f51a5a2903ec24
a119b8bd8e1427830ac76a7649318c0b2e9deb263b6c5e4ea0290c558d159b13
a9da529f0ad9088cec7e9441a7081084f417655533998caa004597a1bc6ef262
b24a5df4c63722afbed1e3807b18fcc065008ec3431de146dbf3657dffa00893
b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b
eded02bf0afea18ebbcaa7682ad7f3d1215b064cd2a3185f230b87195ef85218
+ 5'114 additional samples on MalwareBazaar
Result
Malware family:
formbook
Create hunting rule
Score:
  10/10
Tags:
family:formbook rat rezer0 spyware stealer trojan persistence
Link:
https://tria.ge/reports/201109-xpc1llypws/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Deletes itself
Reads user/profile data of web browsers
Formbook Payload
rezer0
Formbook
Malware Config
C2 Extraction:
http://www.slacktracks.info/y22/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 55fcec41c1661d5c447858a9a7ecdb1a8fe98a1572fbdf9abf11f436fb23ce57

Executable exe 95fd3400d70565e8bd28da81374df780073cd2762b922059b26150a560c6aba0

(this sample)

  
Dropped by
MD5 4b6fb9869cbeed4a0fd150d968c6a830
  
Dropped by
SHA256 55fcec41c1661d5c447858a9a7ecdb1a8fe98a1572fbdf9abf11f436fb23ce57
  
Delivery method
Distributed via e-mail attachment

Comments