MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e63648bfd0943ee88abab80717d3a3477c485bdc53e93c40c1183eb196f53b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e63648bfd0943ee88abab80717d3a3477c485bdc53e93c40c1183eb196f53b3
SHA3-384 hash: b5563b5bd3a06d1e95f95e70da108080558f509e25237d094a30afc576cbbbc5497e50f5a8524ca067284a6f2867cd21
SHA1 hash: 8452e92cafc82f84b97328781cb3d7f9a3560b18
MD5 hash: b01b54edac1bdc60faca8b61ab45bba9
humanhash: tennessee-artist-coffee-twenty
File name:swift1.exe
Download: download sample
File size:574'232 bytes
First seen:2020-05-13 10:29:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:edg5nPgjwJJL7XJAnY7NS1kGmWlAwayzysMIa4cN46Yo2YDUaePptQ+J9:BnPbJHX+nOI6GjAVy3MIazTs
Threatray 759 similar samples on MalwareBazaar
TLSH 3BC4C02B36861008C13E46F1842E69E172772ECD3E46979E71AEA36C6FC324F775624D
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: iix85.rumahweb.com
Sending IP: 103.247.11.216
From: Sanjay Kumar <sanjay07@bdhme.xyz>
Subject: RE: INV #47001277710401 Bank Swift Copy 20200507
Attachment: swift1.zip (contains "swift1.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 10:41:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzrwjc75bfb65cflvoahc7j2gr34jbn5yu7jhramcgb6wglpkozq._file
Verdict:
unknown
Similar samples:
00481f6d6a28c6792dc0ddeb8cf053ec065be3ebebd70137dc51dbbd1f4c1898
0fc1100eb083ce6f3b25e85af328e2b3c70f3bb7d62090c86d467c706b816e1f
3710beaef523f6d29db7f87e5bc78087ce476cf94f28611216dc7f293d2e421c
561ef20f402a8aad423ac02ae911a988bbe4d82d523be9b950fa808a706bbb00
74a6daf75df0451691470f101c01b44a13d5d1677b5e137bd41c2d65f6471a2e
934330b434128bf71770a42630b50c53c41f83f4eaed0bea89a6303dd95f96ba
94b89dec963ec5d8d9440acb8690d79494187187d36d0f964da12bba0cc1cad3
9f86e4c1e6b8dd93f705c769d056d73f0f7b28f92b3925ba9a9aee9d3505c5e2
cc8ced87461f345694c927ccd2e09c93ac5522d63940f4fdfa2e36dd13286a6f
e5c170ac2dddf725d95b8ee205461cd734c66e5d3d0492a64dfc1b7670bda5f6
+ 749 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/201109-se728el98x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip a7fd3ef25f112a8039d29a2c2e0203ba042b5b137056105820319e55e54c4256

Executable exe 0e63648bfd0943ee88abab80717d3a3477c485bdc53e93c40c1183eb196f53b3

(this sample)

  
Dropped by
MD5 ff152a4d0709da2a5e017163b603d2c8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a7fd3ef25f112a8039d29a2c2e0203ba042b5b137056105820319e55e54c4256

Comments