MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 5
| SHA256 hash: | 0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89 |
|---|---|
| SHA3-384 hash: | d171d72a77fc966e999d42b1e68553bff8f1e4f52ff203ff635c3de60af81e39909f1365fda3d58fb931b04c82eb727d |
| SHA1 hash: | 26e854c6a1ee7af3f8a282caf06610b76ce21db9 |
| MD5 hash: | 23fa47d1c4f4ab3084b9bd6ea926bb16 |
| humanhash: | delta-december-don-pluto |
| File name: | Gkauepj.exe |
| Download: | download sample |
| File size: | 1'123'330 bytes |
| First seen: | 2020-07-13 11:55:04 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | bfece282ee8fe6d99308046cce6d3bd3 (3 x RemcosRAT, 2 x FormBook, 2 x AveMariaRAT) |
| ssdeep | 24576:sEWNeUebPnGhlh40zI+N//y8QNvMMl8XZf1CDRX1/4LsD+zVxuTBqS:jXVnx3b8ouLsD7YS |
| Threatray | 5'142 similar samples on MalwareBazaar |
| TLSH | 8C35BF32B1A11A76C113093D7D1F53A99A27FE611FAEEB8267F51D0C8D7A1827C38187 |
| Reporter |  abuse_ch |
| Tags: | exe |
abuse_ch
Malspam distributing unidentified malware:HELO: ir-w2k16mx02.ihglobaldns.com
Sending IP: 185.10.75.16
From: razak@razak_labs.com <sales2@tamtrading.ir>
Reply-To: sales2@tamtrading.ir
Subject: Re:Important Details
Attachment: Documents.zip (contains "Gkauepj.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
DNS request
Sending a custom TCP request
Launching a process
Reading critical registry keys
Creating a file in the %AppData% subdirectories
Launching a service
Creating a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Threat name:
Win32.Trojan.Delf
Status:
Malicious
First seen:
2020-07-13 11:56:09 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 5'132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
spyware persistence
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Legitimate hosting services abused for malware hosting/C2
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of web browsers
Adds Run entry to policy start application
Adds Run entry to policy start application
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe 0efa7703690d3fe9df70c81d7dea974aa710c7c55a76fd50e6a050bc76698d89
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.