MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
SHA3-384 hash: 2edcee018efd5e8441e0dcb3b2705f3da122728290087ba52670ebab7368d12eae3bc90aaffff32dd320365ea590b753
SHA1 hash: 22651d893883c0e0df19df33a31cb75ded09d102
MD5 hash: 5ed97211220671294ee925c64b1e3ebc
humanhash: equal-winner-delta-crazy
File name:Ref150420190619A-B0270PEL. pdf.exe
Download: download sample
File size:1'080'804 bytes
First seen:2021-03-31 06:59:05 UTC
Last seen:2021-03-31 07:57:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 24576:+CxEaK5DgQKq+ighMy04fJDzxtdXPv61DDAEg+hb4d2vx:L5/hRrBDzxtdXPv61DsEzxJ
Threatray 4'842 similar samples on MalwareBazaar
TLSH C6352322FA3CD5E3D63A0930D0078D25CF75B125AD122A774BF27A0E2A66379D42F197
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.polnacorp.cf
Sending IP: 173.82.206.16
From: Lilian <lilian@steelperfect.com>
Subject: SUPPLY AS PER QUOTATION: Ref:15042019/0619A-B/0270/PEL
Attachment: Ref150420190619A-B0270PEL. pdf.iso (contains "Ref150420190619A-B0270PEL. pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ref150420190619A-B0270PEL. pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 08:15:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/9b75ec70-2437-42d9-a093-1ceccc6aad05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129169/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.62793.20933.24349.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Creating a file
Setting a keyboard event handler
Reading critical registry keys
Sending a UDP request
Moving a recently created file
Replacing files
Deleting a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
DNS request
Sending a custom TCP request
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660018
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378938 Sample: Ref150420190619A-B0270PEL. ... Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 8 Ref150420190619A-B0270PEL. pdf.exe 11 2->8         started        process3 file4 30 C:\Users\user\AppData\...\e3u77ae8ix8.dll, PE32 8->30 dropped 54 Maps a DLL or memory area into another process 8->54 12 Ref150420190619A-B0270PEL. pdf.exe 1 24 8->12         started        signatures5 process6 dnsIp7 38 smtp.mail.ru 217.69.139.160, 465, 49750 MAILRU-ASMailRuRU Russian Federation 12->38 56 Writes to foreign memory regions 12->56 58 Allocates memory in foreign processes 12->58 60 Sample uses process hollowing technique 12->60 62 3 other signatures 12->62 16 AppLaunch.exe 2 12->16         started        19 AppLaunch.exe 5 12->19         started        21 InstallUtil.exe 15 14 12->21         started        24 InstallUtil.exe 12->24         started        signatures8 process9 dnsIp10 40 Tries to steal Instant Messenger accounts or passwords 16->40 42 Tries to steal Mail credentials (via file access) 16->42 44 Tries to harvest and steal browser information (history, passwords, etc) 16->44 26 WerFault.exe 16->26         started        28 WerFault.exe 23 9 19->28         started        32 api.anonfile.com 45.148.16.42, 443, 49706 OBE-EUROPEObenetworkEuropeSE Sweden 21->32 34 anonfiles.com 172.64.206.3, 443, 49707 CLOUDFLARENETUS United States 21->34 36 192.168.2.1 unknown unknown 21->36 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 04:09:41 UTC
AV detection:
5 of 48 (10.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ag5mhlpvwjpy3lik7y75ou7o7jntd4vtkuheibu7lfbibyee7g2a._file
Verdict:
unknown
Similar samples:
51d068920ee714c25ce8b122798f7492ca0d0fc4ef196040a1443aa392a1e88e
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292
+ 4'832 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210331-jav54xv2r6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Unpacked files
SH256 hash:
2c28798f6c176550c12cae006cc4b745d1159c1499b24692618e862184340c29
MD5 hash:
c6f6a4ab393929ec22afbe6324184654
SHA1 hash:
a93b2f6df2744c590c39890a7060da2d4657365e
Link:
https://www.unpac.me/results/c80d8971-477c-4229-9ff5-672dfee3b319/
SH256 hash:
01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
MD5 hash:
5ed97211220671294ee925c64b1e3ebc
SHA1 hash:
22651d893883c0e0df19df33a31cb75ded09d102
Link:
https://www.unpac.me/results/c80d8971-477c-4229-9ff5-672dfee3b319/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 9e81c81afb231ffa7c1cf9726be945eaabcaa95792f700420d3142dbca644183

Executable exe 01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4

(this sample)

  
Dropped by
MD5 573c5fd47af7b26e0fd20f3329c54f2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129169/
  
Dropped by
SHA256 9e81c81afb231ffa7c1cf9726be945eaabcaa95792f700420d3142dbca644183

Comments