MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Adware.Generic


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d
SHA3-384 hash: b1a8d5b9adf0a30efd3b33c970ee36f756194d92f7b91f37baebb60a53aaec0b133ff3a7d8023a8fa03a97489b73b685
SHA1 hash: 2082d63ddd31f3e829b96fc302755b7569659e61
MD5 hash: eece8c89e145f1da44fcefc2c395510e
humanhash: illinois-ohio-bacon-montana
File name:Quotation.exe
Download: download sample
Signature Adware.Generic
Create hunting rule
File size:911'046 bytes
First seen:2021-01-27 14:26:57 UTC
Last seen:2021-02-17 21:11:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 24576:ssmngroXC+kSNXt/s0ICGHJa7fQr4hrJsfczAtriE:CBXxL5t/K7aNTzfE
Threatray 158 similar samples on MalwareBazaar
TLSH EB1523AB22E0E966D90232351FBC693B5B62C1A079785FC327D41D283D534EAFE16173
Reporter James_inthe_box
Tags:Adware.Generic exe

Intelligence

File Origin
# of uploads :
37
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Quotation.exe
Verdict:
Malicious activity
Analysis date:
2021-01-27 14:29:22 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/126fa918-9e54-4dec-ae81-927ff08875a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/114092/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/591900
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 344993 Sample: Quotation.exe Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Snake Keylogger 2->48 50 Machine Learning detection for sample 2->50 52 Initial sample is a PE file and has a suspicious name 2->52 9 Quotation.exe 12 2->9         started        process3 file4 26 C:\Users\user\AppData\...\xfpwnmtiam.exe, PE32 9->26 dropped 12 xfpwnmtiam.exe 1 9->12         started        process5 file6 28 C:\Users\user\AppData\...\ix9kveu4es2u.exe, PE32 12->28 dropped 54 Writes to foreign memory regions 12->54 56 Maps a DLL or memory area into another process 12->56 58 Sample uses process hollowing technique 12->58 16 ix9kveu4es2u.exe 1 12 12->16         started        signatures7 process8 signatures9 40 Multi AV Scanner detection for dropped file 16->40 42 Detected unpacking (changes PE section rights) 16->42 44 Detected unpacking (overwrites its own PE header) 16->44 19 iexplore.exe 2 66 16->19         started        process10 process11 21 iexplore.exe 31 19->21         started        24 iexplore.exe 1 68 19->24         started        dnsIp12 30 avatars.githubusercontent.com 21->30 32 140.82.121.4, 443, 49748, 49749 GITHUBUS United States 21->32 34 avatars.githubusercontent.com 24->34 36 github.com 140.82.121.3, 443, 49729, 49730 GITHUBUS United States 24->36 38 3 other IPs or domains 24->38
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d/
Threat name:
Win32.Spyware.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-01-27 14:26:26 UTC
File Type:
PE (Exe)
Extracted files:
31
AV detection:
20 of 28 (71.43%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6b6oc7amb67623upyrvy6pkf7hfhuw3jec7kpmtrkt5dcklukoq._file
Verdict:
unknown
Similar samples:
15adffdd98424d4317bce40e3ba268620ae78df9aca409d4e18f2f9c57d26824
Adware.Generic
1a1e74fbe89bed37913351432c163e204018655e51811aabb9e5fc6a06cf5887
Adware.Generic
1bda01f0ea187a42b179d780e45f45e229caecdca515402f781df52bc8ca3420
Adware.Generic
1ecb56fae94db17332e267fa2d786083ac82329386f8405152768cd231a40a57
Adware.Generic
2d03d586cd5f7c3a9cdda77d45f78124acfef0879489a78081b6885eb75dcd2d
Adware.Generic
78f2e6b22029260e24aa12f380a47137c8306ab44a6174701e2147431471370d
Adware.Generic
a690487422504d796125e9df91b906d43a3584cb8b9da7d06fc8f50ce8126c33
Adware.Generic
b9b2c05c193a6df71266380c102c635199a45263722c6395a0b03de819a01ee1
Adware.Generic
b9df96522a30d05a026ab8874eef5ddae02042585e4cc5773909838250cf2635
Adware.Generic
fcc8681690501353e6d76cb30176c9972dd81817fe2d02a99ab0f669e78e349a
Adware.Generic
+ 148 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware
Link:
https://tria.ge/reports/210127-5bxq6pmr52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
8cf5cf0efb072fac79a80001ad1fcaefc548ff159b57534e9f0331c8b1cdb3e2
MD5 hash:
5da5ad17cc53039f55fe216f897ef97f
SHA1 hash:
f563f00d68660dc1b5bcb62987c646be46c06c07
Link:
https://www.unpac.me/results/21af1524-133e-4bc1-85e9-4b377e3de10d/
SH256 hash:
0bb556219dd8f5b174a72a9ef148070c4fc1d81157759f3d65245548d4a71b2a
MD5 hash:
80cc647cf1e3df7ded9730ee5f7f160a
SHA1 hash:
362af99f7e4a49b207f46cd54970802a2f74f1e7
Link:
https://www.unpac.me/results/21af1524-133e-4bc1-85e9-4b377e3de10d/
SH256 hash:
0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d
MD5 hash:
eece8c89e145f1da44fcefc2c395510e
SHA1 hash:
2082d63ddd31f3e829b96fc302755b7569659e61
Link:
https://www.unpac.me/results/21af1524-133e-4bc1-85e9-4b377e3de10d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f83e70be0607dff6b747e235c79ea2fce53d2db4905f53d938aa7d1894ba29d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:MALWARE_Win_SnakeKeylogger
Create hunting rule
Author:ditekSHen
Description:Detects Snake Keylogger

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/114092/

Comments