MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60
SHA3-384 hash: 1009474f94e15ae5d0a69366e3e32e60422c1f09614c5003fb05be68bc91fdf74ff0aa6b4dd47b7727fe5f80403b1334
SHA1 hash: 7d262fc3352fea32ec3c7f66297b4f1998b5f062
MD5 hash: d38e9c39faac975c30bd2fb2020ba43c
humanhash: bacon-pennsylvania-tango-zulu
File name:order_pdf.exe
Download: download sample
File size:932'352 bytes
First seen:2020-06-29 11:23:57 UTC
Last seen:2020-06-29 12:01:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8bf0b8175bc71f48d381c3afeae44e55 (3 x FormBook, 1 x AveMariaRAT, 1 x RemcosRAT)
ssdeep 12288:4mXqeinhqmSqxnDqnsQi8oMr8gRZAMrK+g7xBTCIJuxd6Ur5IScz5ISF+gAuA1KD:4oAjSqxusBdq7rkoYX/ebPx+E7soD
Threatray 5'275 similar samples on MalwareBazaar
TLSH 5415AE22F3D01037DD7326B89D5FAA6959267E802E69A84A2BF43DCA5F3D3517C1D083
Reporter jarumlus

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16204/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 11:25:06 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yf37tnf5osvysxs3k26s3ylw7kho6vkdl5rkonh2xrfbefmybrqa._file
Verdict:
malicious
Similar samples:
017f433a49afcc765c5a5e7f39de6251fbe37d9c98f7d86f1abcefb1a9f559bc
25f6c5158e721c17e99b7948f083978dc74f1d10e9a500000a7ff476e75eeac6
3c5ef5423e281a468e9f0381327a9635f20626a98054e769fc08dd4270db01e4
40e20cc321623df3271e2ea7cbe75f647096a8a30737d21d0ef8ddbdc33a7f49
4844f86de461d882aa8fba67fe579696bb68e5a5a02d725b2bd9732101f86966
58ced5958ea8fea452bbaa34bba957927c391a0d3699542fb3702cdab990c70a
7d76b11ffd54f1f7f61dae2d07689f986a40a6bcf79e2606610f77a5c7bb20de
8afd54f2ed0af6d9593b0985cec1604748ca753900859fe4ee225d21b574e55e
c5ccddfa0f7ee807513279b0195460cd48f3b36f2154c93ff3945fe30c647dde
d99947df7b80d4cf1f998cd4c205df67be0afc6ab0d9b4d92988b1aeccc1bf0c
+ 5'265 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200629-ta4v3fdyva/
Behaviour
Suspicious use of WriteProcessMemory
Adds Run entry to start application
Legitimate hosting services abused for malware hosting/C2
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip e038a7d171a10ca61465d6ee64ec6e026e3d91af74c87a7657adcff29d20a244

Executable exe c177f9b4bd74ab895e5b56bd2de176fa8eef55435f62a734fabc4a1215980c60

(this sample)

  
Dropped by
MD5 b2837bd08fda1f98354df48c37996c53
  
Dropped by
SHA256 e038a7d171a10ca61465d6ee64ec6e026e3d91af74c87a7657adcff29d20a244
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16204/

Comments