MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405
SHA3-384 hash: 65147568f172adc838a035d500855ee025f37d92e932a7ad734382a7c7f76edede281269522efe15c8e5c84a5fc6ebc8
SHA1 hash: 9ad029bf6cebf0308db6771d423018289684faf5
MD5 hash: 9bcc23452d5a20790ff08c81812d7fd2
humanhash: maryland-december-snake-pizza
File name:image.exe
Download: download sample
File size:548'864 bytes
First seen:2020-08-17 08:53:56 UTC
Last seen:2020-08-17 10:08:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 849887af87d3c5a3505d23d8b15e02ce
ssdeep 12288:tuv+XyDHRqUa546A9jmP/uhu/yMS08CkntxYRC:sv0wHR1fmP/UDMS08Ckn3T
Threatray 346 similar samples on MalwareBazaar
TLSH 3FC49D13EB20B11EE953C4B16C65826E1A197EB60295AE07BFC59F0934726D3B9F031F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: franceloc.fr
Sending IP: 45.138.172.137
From: Khaosan Jewelry<bastide@franceloc.fr>
Subject: payment receipt
Attachment: Payment receipt.iso (contains "image.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46839/
Detection(s):
SecuriteInfo.com.Generic.mg.9bcc23452d5a2079.30387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
rans.adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/432955
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Potential malicious icon found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected Kutaki Keylogger
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 268782 Sample: image.exe Startdate: 17/08/2020 Architecture: WINDOWS Score: 84 23 Potential malicious icon found 2->23 25 Yara detected Kutaki Keylogger 2->25 27 Yara detected VB_Keylogger_Generic 2->27 29 4 other signatures 2->29 7 image.exe 1 14 2->7         started        11 uttppxch.exe 2->11         started        process3 file4 21 C:\Users\user\AppData\...\uttppxch.exe, PE32 7->21 dropped 31 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->31 33 Drops PE files to the startup folder 7->33 13 uttppxch.exe 1 13 7->13         started        15 cmd.exe 1 7->15         started        signatures5 process6 process7 17 WerFault.exe 13->17         started        19 conhost.exe 15->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405/
Threat name:
Win32.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 08:55:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mywnt47nhg4ksz4vfzbu2bx3fq64qrilr3gkynj76fbogptsqcq._file
Verdict:
malicious
Similar samples:
167d491785e99c6aec1e23ef064eceb9e7ac81af33262d7e3d3e51cc8759ce70
25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85
2bf8fe42f591b6bd6090306f9ca6e3d6b02a2cc86255d526619ca53a533006be
2d3877e6e33b4a3763ccdb6a68f4998d48d048c8b36a5fd9c2054ac2377e43dc
3460bddb22bbd2c03da5dbcc68e6ce1d54cfb1d5991196eff039acb093d96307
363755d7a78e52ae1314c7c4a485048269a9680e93bc4cb82098ca6139bfd912
4fbe77777093608a25b248db192e96bb062da46835e2739c07922c39cfbb0d57
5bd645a7783a25d2caa48ee448ad1e47c00ae25e5a7fd9b304ad9422e9e79fd5
b2db0dad3f1acb31633bc8d135453b5141d75ce89212a303a9148a40f60eb917
e906f1c983c7c2756f4bcd4de9edb2c6e8d16c1f84a18fecf15b698a459183fc
+ 336 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200817-naklgwxxpx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 2e5d72526f20a77c48730482202938ea1bedc95444c9334b2b8f14eb877bf8c1

Executable exe e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405

(this sample)

  
Dropped by
MD5 be1f3c0fc35c4a7a885b8b3c6aff8743
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46839/
  
Dropped by
SHA256 2e5d72526f20a77c48730482202938ea1bedc95444c9334b2b8f14eb877bf8c1

Comments