MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2
SHA3-384 hash: aaa2166627c7cdbc00aec0c60569c9636ab86166baee86ee29d47d03a7b48addbe872b12dd92f485d0719bcf53726ac0
SHA1 hash: 53ef08cf44534104ee36d602bbac7db7dea301b0
MD5 hash: 22a5c2511ebad9f193acce1e8797dd45
humanhash: wolfram-pip-wisconsin-wyoming
File name:SWIFT09775527743pdf.exe
Download: download sample
File size:3'219'456 bytes
First seen:2021-01-04 18:03:25 UTC
Last seen:2021-01-04 19:56:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:jGaWhFh+GRyXjOJb1aOPgzTvBpx7tfUfQHqBOy47gfR47lkU/gZFb5oi0jGglBnp:SatqJWxKfZi7gfR4a7o1lh3tN
Threatray 81 similar samples on MalwareBazaar
TLSH 6BE501067743CD91C1D07BB60FA6EDF30315EC966AE07E4E32E47A5B62BA28F5D08254
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: host30.ssl-net.net
Sending IP: 213.145.224.180
From: Lin Zhu <purchase@essencis.com>
Subject: FW: Swift copy
Attachment: SWIFT09775527743pdf.z (contains "SWIFT09775527743pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT09775527743pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-04 18:09:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/76e71863-acfc-4cab-a574-3e9b9e0c00d1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110434/
Detection(s):
SecuriteInfo.com.Artemis22A5C2511EBA.12944.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/573673
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 335900 Sample: SWIFT09775527743pdf.exe Startdate: 04/01/2021 Architecture: WINDOWS Score: 60 36 Multi AV Scanner detection for submitted file 2->36 8 SWIFT09775527743pdf.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\...\mailheakouu.exe, PE32 8->26 dropped 28 C:\Users\...\mailheakouu.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\...\SWIFT09775527743pdf.exe.log, ASCII 8->30 dropped 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 8->32 dropped 38 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->38 12 mailheakouu.exe 3 8->12         started        15 cmd.exe 1 8->15         started        signatures5 process6 signatures7 40 Multi AV Scanner detection for dropped file 12->40 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->42 17 AddInProcess32.exe 12->17         started        19 conhost.exe 15->19         started        21 reg.exe 1 1 15->21         started        process8 process9 23 WerFault.exe 23 9 17->23         started        dnsIp10 34 192.168.2.1 unknown unknown 23->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-04 18:04:07 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bpkdo6e4t66nmawps2byacyr5waly24lvd3iz5wfz3itpif63pja._file
Verdict:
unknown
Similar samples:
2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
3ba094f9ee7f050b817b94daad2e9b8334ecf138d474d54c993b2c3737c3eb34
641a1d0d54fc5d0facf1c2c20d1cb54f60705d67b5990b3be3cfcb7e8c1269a4
77fb17512bdea82047a24a36b153ef5277e6be10c3dcd16e123468c9d7564176
8004773fd522c0c16945bcc3dcc093f9e43501a821b97f71fcd1ed32c2cdb5e5
888d969119b65e85e43a15fddfcbe197dca9e61fb5233ddc2cfd5c6347580a1b
916e1e0648bbd10e136c833688e22b87c1f6ae73df18b9e331db37d05ce0b528
ad6e93284e34255607659e7e078cd4f6c43d0858297ea612c4effed17330b63d
b678f8fc8345839947b67e710f534a46b7bf435187d2d31d89c51e687af9dea4
ccb238545e350b6c90285c5eff16df04dd0da678b587613c3f4e4f9bc4799d01
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210104-qwnkeety46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2
MD5 hash:
22a5c2511ebad9f193acce1e8797dd45
SHA1 hash:
53ef08cf44534104ee36d602bbac7db7dea301b0
Link:
https://www.unpac.me/results/4f17aa30-44de-4cf5-8499-93751359b0c5/
SH256 hash:
49dc26861fffee2f6440e56a10b7086ea305d2f16bb9e27ba3e08b9893557f86
MD5 hash:
e732cd6decfed3503b4020899d5a56f9
SHA1 hash:
024c1bf147c698e92aae340bbee323601d02a787
Link:
https://www.unpac.me/results/4f17aa30-44de-4cf5-8499-93751359b0c5/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/4f17aa30-44de-4cf5-8499-93751359b0c5/
SH256 hash:
3308013ae1a994790b3954fe262f74aff3d1d67ffe9634b5fd15e009e116ce26
MD5 hash:
d9f4f16986c6e58706cb42b3b1d41bd7
SHA1 hash:
90e1d39abb423f857e6b9e153089510bbefc2dc0
Link:
https://www.unpac.me/results/4f17aa30-44de-4cf5-8499-93751359b0c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z 00edd8d0eb68531ab5142741832ef816a8a2214144be82a907c90fab5585de82

Executable exe 0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2

(this sample)

  
Dropped by
MD5 f0cc8521fe22a1941419da4d89366f34
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 00edd8d0eb68531ab5142741832ef816a8a2214144be82a907c90fab5585de82
Cape
Cape
https://www.capesandbox.com/analysis/110434/

Comments