MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463
SHA3-384 hash: 4e004713a43b72fce82e4ed93d8a39e0157104644d84fbb544906e651c11a771203f2d52f5198ec04f2775454729e437
SHA1 hash: 29469e19efd9a7ac5d0de9e2b4489528663cab3b
MD5 hash: d4d4e0e3fa9650f86b13ead534e9252f
humanhash: cardinal-fourteen-may-sink
File name:Invoice.exe
Download: download sample
File size:127'488 bytes
First seen:2022-02-11 06:27:00 UTC
Last seen:2022-02-11 15:33:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:T+3ZLsoKsCpIpYezx3maHiYmwN8Agw3nZPHbzYKy2L:K35soKsCpIx2vAVZDz1
Threatray 39 similar samples on MalwareBazaar
TLSH T1C5C35FF5E774B919F010C57CF98982703AF9EF609F329542B469363A197E2BC2D620E4
File icon (PE):PE icon
dhash icon f8cc86969686cce0 (26 x AgentTesla, 1 x Loki, 1 x QuasarRAT)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
201
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/240822/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.310.18390.19065.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed replace.exe
Link:
https://www.filescan.io/uploads/620601b8289e2f3e4fc0ef1e/reports/82a730bb-d686-4a83-9c69-6e6a58565d9f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83737bd2-ccc8-4e18-ad2c-69e8ef99ca31
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/938389
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2022-02-11 03:26:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
29
AV detection:
22 of 41 (53.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bmqi5pznjgx7cwbq5mcncig64ufj24k5xllege3g6cx753clyrrq._file
Verdict:
unknown
Similar samples:
0045e4acf0984e3982a7b0c31f8c36ce86528657bf1a41c2b5cefc71b75e9c01
4987b259e5ff095fdb679b905093b4f888a3d88b4a3c061e27ab7fa8f36b2632
a53d910177170c5b3db633cd8a6f76816eace62d5b5ea5d86ba3240bfd7ba197
b100e4e89f9793a97ece1f3a91b2ef8c7c060c7e5685f6769651d54b06b986a3
b4433e10d6b0efd343e586a877e4b9823efe364c2e193a3943c7a7352837ebed
b4a92bcb6f677bbf9ede6ad7b290f83bc27592fefae0a8b3c6bf8026ff3327ee
bc0c6f07b05e4c29bae36fedd9e58e1cd0148d777a68d50ec5104567d9e3ce43
d8079b19aa1f119485291950ae0580757618dd23c4d18eed64e06aa3a86c1751
e26feb0a7e8a40cdd68c40755ff540129311ae05fc0fdfb92dcf1970ceff875c
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220211-g7rn6abge5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463
MD5 hash:
d4d4e0e3fa9650f86b13ead534e9252f
SHA1 hash:
29469e19efd9a7ac5d0de9e2b4489528663cab3b
Link:
https://www.unpac.me/results/fe4e3140-04ff-49c3-9f1e-21a3a1bbb9ce/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exec_macros
Create hunting rule
Author:ddvvmmzz
Description:exec macros
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 0b208ebf2d49aff15830eb04d120dee50a9d715dbad6431366f0affeec4bc463

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/240822/

Comments