MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87
SHA3-384 hash: b9494943ab7eec24a1ea972bb36444bf3f50cca9f19214c39935e9153abc593aecf201eed4bde46624a3c1bf2fc1d445
SHA1 hash: 0dbd171c9d6e3291dc187aad614c2e24ec13db6d
MD5 hash: 839e9d0025ccd406a3e8624c0029d797
humanhash: carolina-missouri-pip-montana
File name:Afiqf.txt
Download: download sample
File size:6'274'482 bytes
First seen:2020-10-21 16:32:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91ae93ed3ff0d6f8a4f22d2edd30a58e (48 x CoinMiner)
ssdeep 98304:oKAscGZ/KyVyGHAeBSut+aFNnxsq8vpc4KbxabdDkaduupkZt4cU6uPIDInuNkrG:tAnmJlX+aFFx6hc+kFIq1DCgkr9Mg3mZ
Threatray 8 similar samples on MalwareBazaar
TLSH 7956331BF66145FBE4BA583195B6C8317279AD170F2414E7132C32A31C707A32BB9B6E
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sonic311-30.consmr.mail.ir2.yahoo.com
Sending IP: 77.238.176.162
From: Rose Maduna <rose@purequestair.co.za>
Subject: Quote
Attachment: c6.Qoute-Purequest Air Filtration Technologies Pty Ltd.xlsm

Unknown payload URL:
https://u.teknik.io/Afiqf.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74229/
Detection(s):
PUA.Win.Malware.Generic-6651521-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
DNS request
Sending an HTTP GET request
Deleting a recently created file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/506291
Signature
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-10-21 16:39:11 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
078f883c1bcf8d0f9d5eb75f2dcc849564bb7e3fee851df036acb2e6870e95c1
0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc
49ea2b64601f51c9464960630f27180d4a4ae27c1dfd1ab0fe91a315ac945fa8
52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
925f678c8adafa7aeae7d0894ea871001ffabe237d6e6b5764eabb0c59c6f8d1
c1674327bb311564153d7a76fdca4063d120d910e307c4b5d430a0c81dffc64a
e6ff6d164a876c50bfc4a6f7b6397914f9656d0e4aef1ceba65f1e92ed1b6c69
ee86f083fdb8d5e2f4d1d609faf964fa08a01875bc0abb364aeb09bb83c35f8c
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201021-8n8z9megga/
Behaviour
Suspicious use of WriteProcessMemory
JavaScript code in executable
Looks up external IP address via web service
Loads dropped DLL
Unpacked files
SH256 hash:
ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87
MD5 hash:
839e9d0025ccd406a3e8624c0029d797
SHA1 hash:
0dbd171c9d6e3291dc187aad614c2e24ec13db6d
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
bfb02ba2cea7d1b148b0506b084a110d2adcfa18624161120800b55e24819d8c
MD5 hash:
46c9e4bc355861eb44db2ce3387e0871
SHA1 hash:
7fd2ef6e6b515a2826d3ef45d8fb93307f97f1a9
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
39db5301628fd1dbb81b6f99733a9da97b4d79482ba62b4fc822523cb6e0dacf
MD5 hash:
36f74901246c933530b0bf408d1a32fa
SHA1 hash:
bd74e7bb0940c1648b4cb34b4edc263688ccd571
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
5466399934001a4e3f54a12a3120c7afdbbd9220ca17059ba934dd04582e042f
MD5 hash:
77c30738ac36ec34c10bcd079a451a5e
SHA1 hash:
eef051c9a378e4def1e7786b45244c187d151826
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
48d8bd13fb277f19bf936d2cf6de07cb52d5ab7cdffd7e6b9d952aeb1132a5f9
MD5 hash:
3852360ed07dbb7a2b58c9dcee29c705
SHA1 hash:
f76453512d300e50cc4f7ede14677402eb065892
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026
MD5 hash:
9b59be1fa8427368c4e0e763f578d74c
SHA1 hash:
7287fe431a0a67aa41e9952906759746ddcffad1
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
c620ad0e2bc43b201c6d46010ea3a5cff3037e442d1701c42d2c1cf5e616b4a4
MD5 hash:
031cae6d6455eef8082e4ff260dfd9f8
SHA1 hash:
1701ac20d9a09a95b9d169c4f093d326dcd4f362
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
2c64f312ba6dec8c8c3d6748d7c50604a8a7d18fd80cb78155e7b222f821e0b9
MD5 hash:
75546240d8020b36e6f931a249edf77d
SHA1 hash:
2af5e9d4082ba4b697fa42c784dba1bc809ac218
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
3aa6b92851d53a27b762ad0ae11bf02dfefeb9a886717d7537d5ba12cb4e4d12
MD5 hash:
be120408ef57f9ce48b4fc5c21a7d66b
SHA1 hash:
b6fe521ed64bea5d7c42580460a142b579aa1afe
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
SH256 hash:
426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c
MD5 hash:
a13020f231b588d46aaf82fe9314efdc
SHA1 hash:
fa43858266fbfa564e98fba78f7e8634659f2dfe
Link:
https://www.unpac.me/results/49c7d7dc-4440-4f70-bbd3-9784601c600b/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_File_pyinstaller
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Description:Detect PE file produced by pyinstaller
Reference:https://isc.sans.edu/diary/21057
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Excel file xlsm 52123ddbbb1ca64d78b18991637603310abaf9a93bcc9c345fcd2f50016e25b3

Executable exe ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/730163/
  
Dropped by
MD5 a2c10fdcb9a1c732e9a2f60061577fcf
  
Dropped by
SHA256 52123ddbbb1ca64d78b18991637603310abaf9a93bcc9c345fcd2f50016e25b3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/74229/

Comments