MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19
SHA3-384 hash: 4c2cb5bf36b673d680d3a0eb578bdeb9329946a3b497002d9cbe15bccd8e0a7d68b88b12a760f3334ceb4960f61bf8fd
SHA1 hash: 88c9d384602aa6f47c8d12af7df6b7df9cb2891f
MD5 hash: 3873065a859c7028cd9db46bf2950e36
humanhash: eighteen-cold-texas-mars
File name:#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe
Download: download sample
File size:870'400 bytes
First seen:2020-08-20 06:17:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:karV6M52Acwvw+bSPB5PKmZYZZJmi2uh6C7SWHofIcwkZxT1pWjEQLlud:9j52AcwY+b63JCJmivsC7ZowaT183M
Threatray 559 similar samples on MalwareBazaar
TLSH 9C05238713242B36EA3897F46175716153F3291B2621F64CEEC929FF28A57058832FDB
Reporter abuse_ch
Tags:DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: "DHL Service" <sales@simscere.com>
Reply-To: "DHL Service" <sales@simscere.com>
Subject: Attn: We have Your Packages
Attachment: Reference_Reciept_Dhl_.7z (contains "#Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48998/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
MassLogger RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/440578
Signature
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Costura Assembly Loader
Yara detected MassLogger RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 272894 Sample: #Reference_Reciept_Dhl_expi... Startdate: 21/08/2020 Architecture: WINDOWS Score: 96 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 Yara detected MassLogger RAT 2->39 41 Yara detected AntiVM_3 2->41 43 5 other signatures 2->43 8 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 7 2->8         started        process3 file4 29 C:\Users\user\AppData\RoamingTIskDNQN.exe, PE32 8->29 dropped 31 C:\Users\...TIskDNQN.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\AppData\Local\Temp\tmp1C0.tmp, XML 8->33 dropped 35 #Reference_Reciept..._owner_2020.exe.log, ASCII 8->35 dropped 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->47 49 Injects a PE file into a foreign processes 8->49 12 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 2 8->12         started        14 schtasks.exe 1 8->14         started        16 #Reference_Reciept_Dhl_expidayed_shipping_apporved_owner_2020.exe 8->16         started        18 2 other processes 8->18 signatures5 process6 process7 20 cmd.exe 1 12->20         started        22 conhost.exe 14->22         started        process8 24 powershell.exe 17 20->24         started        27 conhost.exe 20->27         started        signatures9 45 Deletes itself after installation 24->45
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-20 06:19:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0f9c3e7962330f174a7529d7edd7981c9ffb4f0f1d6eee585a7f3467b5c06a49
3858c456ab026309da4ac40a5dc2c8e3d360c9f27c592ffb74875443a1e775b5
490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3
939589f47802dc8857577fa740f59b8bbf3ff7b2333cc46596e518d01642f950
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
affd83be5d05968f9cc89bef507fbcceeb80171852c58b024a39f93cf9d755f8
e9d9f65c485aee37cd38771a3a152ad1f4510662e3f52dfb7c86edb67a02b80d
f26c6e863a8d2530820de8407917264d029ae36a470609646fdae8145134cac5
f9a21aab7dbdd5e5c20f35bdb733db80e7127e23b005865297a35ff014168090
fdb90d8b3ac08b488bc4124808d71499478ac775e7149695d36eda959a17d412
+ 549 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200820-w52n584t8s/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z a94c36b23529e901426aed205351ff692e6eb0188f9d163e07609d73b88622bd

Executable exe acef143204e66bd0ef761c302176d61d547b9bfd78960c7607a9863bdafaae19

(this sample)

  
Dropped by
MD5 9f30dd80af2a327825f7696c1e7d110d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48998/
  
Dropped by
SHA256 a94c36b23529e901426aed205351ff692e6eb0188f9d163e07609d73b88622bd

Comments