MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d534b7ba8611e09a0f7be51d7052d698f41a1531b0ba22fe9ef40f6ac49833f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PureCrypter


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d534b7ba8611e09a0f7be51d7052d698f41a1531b0ba22fe9ef40f6ac49833f1
SHA3-384 hash: bfee2345cc112f73f35a9306467fd7710b10b8bd19fccc4b1840580a2134fac6cf6797788cc082bf4f9c56e1a4616f15
SHA1 hash: f06fd3207d506afc47ed3a92850fde4388566246
MD5 hash: 6ce80283f74427dc314d93df050decf1
humanhash: alabama-timing-burger-monkey
File name:DHL Air waybill.scr
Download: download sample
Signature PureCrypter
Create hunting rule
File size:286'208 bytes
First seen:2022-12-08 11:02:08 UTC
Last seen:2022-12-08 12:48:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:8FDutOc6duxKLo0E/3m588qdKwNvBVWL1BebWJ0hyJ0KSBAbMceoCD+/lI:8FDutOc6duxKLor3mNgF1BV+Be6G0J0E
TLSH T11254F14730D7926DCBBA07F2DCAD41C242B5C2425831EA7F9D6122D55BA3B218FE52CE
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:DHL exe purecrypter scr

Intelligence

File Origin
# of uploads :
2
# of downloads :
188
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/344297/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.10938.20485.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6391c468f6e448d42df79f27/reports/01b4f38c-7e39-4a24-83b4-8587e837c032/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3454709e-e0b0-4c76-94c5-944657f928ef
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1130664
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 763389 Sample: DHL Air waybill.scr.exe Startdate: 08/12/2022 Architecture: WINDOWS Score: 100 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 3 other signatures 2->39 8 DHL Air waybill.scr.exe 3 2->8         started        process3 file4 25 C:\Users\user\...\DHL Air waybill.scr.exe.log, ASCII 8->25 dropped 11 DHL Air waybill.scr.exe 8->11         started        14 DHL Air waybill.scr.exe 8->14         started        16 DHL Air waybill.scr.exe 8->16         started        process5 signatures6 51 Modifies the context of a thread in another process (thread injection) 11->51 53 Maps a DLL or memory area into another process 11->53 55 Sample uses process hollowing technique 11->55 57 Queues an APC in another process (thread injection) 11->57 18 explorer.exe 11->18 injected process7 dnsIp8 27 www.baltic-freya.com 79.98.25.1, 49695, 80 RACKRAYUABRakrejusLT Lithuania 18->27 29 www.05hc.com 104.21.0.121, 49698, 49699, 80 CLOUDFLARENETUS United States 18->29 31 www.youlielox.space 31.31.196.51, 49696, 49697, 80 AS-REGRU Russian Federation 18->31 41 System process connects to network (likely due to code injection or exploit) 18->41 22 cmstp.exe 13 18->22         started        signatures9 process10 signatures11 43 Tries to steal Mail credentials (via file / registry access) 22->43 45 Tries to harvest and steal browser information (history, passwords, etc) 22->45 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d534b7ba8611e09a0f7be51d7052d698f41a1531b0ba22fe9ef40f6ac49833f1/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-08 11:03:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2u2lpougchqjud334uoxauwwtd2bufjrwc5cf7u66qhwvreygpyq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221208-m5ppnscg31/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd149800-573c-43c1-b843-41b9914eb01b
Unpacked files
SH256 hash:
5521a4f8d5f59105b326080807babb42ad63321a0256e12de67e7b0a8d1aeeaa
MD5 hash:
15305d442d5ddc92ae410cdd96320723
SHA1 hash:
76c18b3ef96696ece3120c370cfb3a11d8bb3e2d
Link:
https://www.unpac.me/results/f8ad375c-e348-4b59-b9c4-ebfbb30ad4b8/
SH256 hash:
b236dff0df818bbf4fbf78ff08490b00a1f6872c1db11d4cd2827189c72ed7d2
MD5 hash:
39910e89e009a951c7b7b36522f57c16
SHA1 hash:
f0a3c75ec22270e798ec7fe0367067b50d6a80d7
Link:
https://www.unpac.me/results/f8ad375c-e348-4b59-b9c4-ebfbb30ad4b8/
SH256 hash:
0ebbbe027cb19c7063d2380e8d445a48de46b3aa0d5d58d2a524c43ae7294247
MD5 hash:
c247ce371ab89c3913d0bea2efad925e
SHA1 hash:
7d4c1fd7e12025a5d1e663e1920c89f859dbada9
Detections:
PureCrypter_Stage1
Create hunting rule
Link:
https://www.unpac.me/results/f8ad375c-e348-4b59-b9c4-ebfbb30ad4b8/
SH256 hash:
d534b7ba8611e09a0f7be51d7052d698f41a1531b0ba22fe9ef40f6ac49833f1
MD5 hash:
6ce80283f74427dc314d93df050decf1
SHA1 hash:
f06fd3207d506afc47ed3a92850fde4388566246
Link:
https://www.unpac.me/results/f8ad375c-e348-4b59-b9c4-ebfbb30ad4b8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d534b7ba8611e09a0f7be51d7052d698f41a1531b0ba22fe9ef40f6ac49833f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Formbook
Create hunting rule
Author:@malgamy12
Rule name:Windows_Trojan_Formbook_1112e116
Create hunting rule
Author:Elastic Security
Rule name:win_formbook_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.formbook.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/344297/

Comments