MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3
SHA3-384 hash: 596e6fe5e117c69d39bd23fb7f4d8ead57267a29cb878d148390ac437fe70efdee7445bfe9a870f12ca58cbddbc3b72b
SHA1 hash: e6019a6f8e913aa7ff7993fdd1eaadee25d44694
MD5 hash: 6defe1f988df760cb1d89b2efa3a56b5
humanhash: red-indigo-harry-island
File name:Zahlungsaviso.scr
Download: download sample
File size:599'552 bytes
First seen:2020-10-12 05:53:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:MwelDROv1rCKIbbbSR3dZF5+tIaDhhqTg78LX:MwkCuf43dj5O
Threatray 6 similar samples on MalwareBazaar
TLSH F6D422C6C4844170F8F50A358636A865737A2ED46CF56D0C65A87BAB32FB3C710A1E6F
Reporter abuse_ch
Tags:DEU geo scr UniCredit


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.svetaine123.lt
Sending IP: 109.235.71.104
From: Unicredit.Bank@server.svetaine123.lt
Subject: Zahlungsaviso
Attachment: Unicredit_Zahlungsaviso.Pdf.img (contains "Zahlungsaviso.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69912/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487926
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 01:28:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axw2r4wic7wdtecizph624c4pfn6tp2ah52gwn6uubz6i66t77jq._file
Verdict:
malicious
Similar samples:
1561b79e543e7e914eccf0b5bfa92867fbb07163aa4809ab5c6217dca11c3018
60939dd4c12a90d44e021e79be83dc3339139ee922759a0b1055ab558b2a814f
b1ec11ffefb1d9d29251fe84c8712c74c331d4172597f038112ecba875b38d3e
d0407c5317cc1ef408223770e68872a159fb14b76266668ccd353d1e150425af
d2d2b104754e2a49b15b4cbd675ddf2919d1820c58f7e495b9d786bb43785141
ff06c54cab0bdcb0cea8c47f5ef001b2fc917ba857a0d14308ab7211408ba608
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201012-kg4kfv3n32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3
MD5 hash:
6defe1f988df760cb1d89b2efa3a56b5
SHA1 hash:
e6019a6f8e913aa7ff7993fdd1eaadee25d44694
Link:
https://www.unpac.me/results/a04b8138-2b1f-4e66-a524-8141656f47eb/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/a04b8138-2b1f-4e66-a524-8141656f47eb/
SH256 hash:
e7c9346a90943bae592cb289bc85aca774cb8b26f571f7e09754b6a0e2a962ea
MD5 hash:
cbcb1694b63462a4ea281b9df81c77ec
SHA1 hash:
b41dffd31453d05a0d5394e15227e77e6a0894e1
Link:
https://www.unpac.me/results/a04b8138-2b1f-4e66-a524-8141656f47eb/
SH256 hash:
1bc693e05698fe97fe0d25f01c72870619f065c1d3e8fd359f3641026b9403e1
MD5 hash:
7c0d253a4c3122e5747e18370b94a145
SHA1 hash:
e9f6a15483acd73987c7951d1710e614652f189d
Link:
https://www.unpac.me/results/a04b8138-2b1f-4e66-a524-8141656f47eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 3255c6243f68cd3a1264498d4c9b0d97cda71b62d45c4449b40e8b6293965440

Executable exe 05eda8f2c817ec399048cbcfed705c795be9bf403f746b37d4a073e47bd3ffd3

(this sample)

  
Dropped by
MD5 c9d9bf1af6c4f61a0c2776aa18de51fc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69912/
  
Dropped by
SHA256 3255c6243f68cd3a1264498d4c9b0d97cda71b62d45c4449b40e8b6293965440

Comments