MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c
SHA3-384 hash: d6910d6343300cbc285516e88c38b70fa11e2f99381b6c66fc2efc447e45aaefbf0072b2582d85ef77e4bf340b840168
SHA1 hash: 0d153f4b5444b9f06a323473cce3ac1feecb427e
MD5 hash: de30408e59453b090c4a82780e192a57
humanhash: nebraska-arizona-april-florida
File name:OC_83015746.exe
Download: download sample
File size:1'227'776 bytes
First seen:2021-03-10 17:20:49 UTC
Last seen:2021-03-10 18:52:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:WaJyUJEmwrIJy4naM0EYbPt6CzxuT6cLsy:Wa5JibGaaCtPduT7
Threatray 1'509 similar samples on MalwareBazaar
TLSH 75457B6572A45F18F17E9B7C9226944483F2BC07E325DADEBDED81DC0523F828AA1713
Reporter abuse_ch
Tags:Endurance exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway22.websitewelcome.com
Sending IP: 192.185.47.228
From: Miguel Fernandez <adquisiciones@hdhuacho.gob.pe>
Subject: ORDEN DE COMPRA
Attachment: OC_83015746.cab (contains "OC_83015746.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OC_83015746.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 17:25:35 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/37c5de9b-7f82-4e12-bc07-fdee40e15c62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.28309.5840.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/634914
Signature
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 366428 Sample: OC_83015746.exe Startdate: 10/03/2021 Architecture: WINDOWS Score: 96 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Scheduled temp file as task from temp location 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 7 other signatures 2->49 8 OC_83015746.exe 7 2->8         started        process3 file4 27 C:\Users\user\AppData\...\iQGYBRhaIHRS.exe, PE32 8->27 dropped 29 C:\Users\...\iQGYBRhaIHRS.exe:Zone.Identifier, ASCII 8->29 dropped 31 C:\Users\user\AppData\Local\...\tmp4B80.tmp, XML 8->31 dropped 33 C:\Users\user\AppData\...\OC_83015746.exe.log, ASCII 8->33 dropped 11 OC_83015746.exe 16 8->11         started        15 schtasks.exe 1 8->15         started        17 OC_83015746.exe 8->17         started        19 OC_83015746.exe 8->19         started        process5 dnsIp6 39 www.diagtest.com.pe 11->39 41 diagtest.com.pe 161.132.18.162, 49720, 80 RedCientificaPeruanaPE Peru 11->41 35 C:\Users\user\AppData\Local\Temp\A.exe, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\A[1], PE32 11->37 dropped 21 cmd.exe 2 11->21         started        23 conhost.exe 15->23         started        file7 process8 process9 25 conhost.exe 21->25         started       
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-10 17:21:10 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b465ddcwebknvhw7rrbhg4gbivpvrawukxfcd2hs5uwp7hlqi4wa._file
Verdict:
malicious
Similar samples:
079a0f977b60a6115bcddb387d8783eeea8cdd7678369c01d0e7b8a6071bf123
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
41ec47ce62f13677c0c4576c97e299471072aa9ade05670ad0aefdbbd9187fca
615d019a8312bbf632795d680d2daa42cc436a43b3a5256a772f2bb3b9bcc15e
63dac056d672b1987462b41f44987cb470e5b94fd528e521040e98c70de2732a
a4c035de8a4edb11a8cfaef2f2f8326d8909578cf9d5a5534edd4eb9d5a50680
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
e9fb11df00c7a833b875f7c68fc6d5ee3edeeac7c63d85fc4897f6aef7596f7c
edb743711a79b22830152304a71da9c88c4803ceb7081d88f326173857287bb7
eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
+ 1'499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210310-s3rayyh6lj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/32e4ccf9-f0ac-4b05-808b-a9814de2684d/
SH256 hash:
0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c
MD5 hash:
de30408e59453b090c4a82780e192a57
SHA1 hash:
0d153f4b5444b9f06a323473cce3ac1feecb427e
Link:
https://www.unpac.me/results/32e4ccf9-f0ac-4b05-808b-a9814de2684d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

cab 8da2bebe41b7a676eb7b9615a202f5f043068247c7b9c28fb7a9d21856da33af

Executable exe 0f3dd18c562054da9edf8c427370c1455f5882d455ca21e8f2ed2cff9d70472c

(this sample)

  
Dropped by
MD5 b9af276c5ec57246e6091d88522c3bc1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8da2bebe41b7a676eb7b9615a202f5f043068247c7b9c28fb7a9d21856da33af

Comments