MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759
SHA3-384 hash: 67855adfa1f1ee81d5c5f5ee45af518f8945682d38014f3ac20d845f71b512cab171cd23676b5e5aa1f981e835b52e9b
SHA1 hash: 2f458c4ed1d1edf2697bf7be60dc71a8ced883e9
MD5 hash: 5a6d7f9876c36b2270fe5e99b096f1a4
humanhash: princess-nevada-carolina-massachusetts
File name:PO 450400- 13720.pif
Download: download sample
File size:1'911'296 bytes
First seen:2020-05-05 07:37:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:aJyU/w6d8sEtRekseKyosIB6FD4/JP+7cr66:+Y6d8sEt9KyosIWo+7cL
Threatray 477 similar samples on MalwareBazaar
TLSH 7295F19D762072EFCC5BD4B2DE981D64EA61747B830B4203A42716ADDE4D997CF280F2
Reporter abuse_ch
Tags:pif


Avatar
abuse_ch
Malspam distributing :

HELO: hamboya.com.tr
Sending IP: 23.227.196.14
From: Greg Kemp <orhan.cansiz@hamboya.com.tr>
Subject: Revised order confirmation - Proforma invoice
Attachment: PO 450400- 13720.zip (contains "PO 450400- 13720.pif")

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18162.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 08:40:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dhkle6o7fp4gq4oy4d663jjhqyytq5dcrfdrh3zbtgpv3dxa5mq._file
Verdict:
malicious
Similar samples:
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
3ecc7f6abd145158004019c01e8f8f7e56c2bc3d9b4625a3fe2e1eee470a7dd8
6033acde8c4bde98b22ad4e45db8bc34123e794019b42750a3430ba97e33c804
6b946bb613a85c620302f21a45e55e1cf87fa06941df163aafcfbfcecb580276
8978b5eb14061436a8d2249f9c92ac75d8307c83a09ea7aa3e6572f704b4335f
ce79965e4d06eb68644640f4a9396de4cb4e3299d0702e494c045fc07ae03931
d08aead15f73a995edb3859145a359316117d4b82d2c5a0f4a5b599eba28d263
d21f5fcd18544952bb7012782c68b9ab3f89f1d4ee154564eafc32cce59e1ada
f937bbe27c6d52452a121bc9aa320c26ae7eada7cadc9dda0fafc2c6b1bd5818
fe3dcdbbb57d61e04df490402d1e477ec1a804add945a2287c697b18a2234227
+ 467 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger rezer0 spyware stealer upx
Link:
https://tria.ge/reports/201109-8kfbsbjvqx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
rezer0
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 5845ce79fcd1bbe6ed76bbff18e2f3bb98a7bd82011cf960d5cc21b69651e582

Executable exe e0cea593cef95fc3438ec707ef6d293c3189c3a3144a389f790cccfaec770759

(this sample)

  
Dropped by
MD5 a082ef30e920a9de1f38b462a77125b1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5845ce79fcd1bbe6ed76bbff18e2f3bb98a7bd82011cf960d5cc21b69651e582

Comments