MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
SHA3-384 hash: dd8aa8e6851fa0f8073796531ce5b8f20ee90832f267e5958f2c93e5e22ec2e5667f707e816f23ea0fc58fccd45d30d8
SHA1 hash: 669d19caeb92ca4afa5ef25ca507aabdab0d506c
MD5 hash: 84e7dd228cdd50b443e4553ba83eae10
humanhash: cold-timing-mobile-july
File name:commercial invoice for Crate Prototype tool rev17 flipped mounts.exe
Download: download sample
File size:3'077'632 bytes
First seen:2020-12-29 07:59:00 UTC
Last seen:2020-12-29 10:12:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:aDfbKwjk2ogWXkMAzPfT07Kc1Ida5JyYTsZEI2zomrM/0Dmqpky+3+4WtsSzob+e:azKwjk2ogKDCPfT0ucSda5oYTsZtGoCE
Threatray 63 similar samples on MalwareBazaar
TLSH ACE5129275449898FFFA4631F0E57B2CC3F43783B6FEA86E0E8D294514B0588B92558F
Reporter abuse_ch
Tags:exe MailChannels


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: beetle.dogwood.relay.mailchannels.net
Sending IP: 23.83.211.15
From: Eliane Razzouk <ndoumit@gezairi.com>
Subject: Fw Re: commercial invoice for Crate Prototype tool rev.17 flipped mounts
Attachment: commercial invoice for Crate Prototype tool rev17 flipped mounts.cab (contains "commercial invoice for Crate Prototype tool rev17 flipped mounts.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
commercial invoice for Crate Prototype tool rev17 flipped mounts.exe
Verdict:
No threats detected
Analysis date:
2020-12-29 08:03:14 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20a6e5dd-acf3-408a-a30d-520445a6ad12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109725/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.6889.24220.27568.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/571296
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-12-29 07:59:07 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccrlmz5wffgjth7w3ohgxcnmsjzkv25ryt5feyjfyzdkyxd3nmua._file
Verdict:
malicious
Similar samples:
09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86
22ba4198dd80989673a5db96ec9a50b4bbd45931c98636aba17443d638ef937c
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
56223f30d25ad9e7ace44f33bf080b1b965df0a8d4f0b298537d9dcda4162052
586db73f0c9c8a852533d500b667211da84f2621c79c2cf19f471655db0cd64f
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
d6964f92949edac5e3f2b740a6c2fa121eb1539f5a291ee7d4cc5cd55cadd49d
d827689b395e61faaa11fcf68118f58ae90a291819e1dabe2fd1f91c37805ee2
ec8127c4b1dae8a286793e1c3a85a0f793203fe3e1142a2f57117ff5308a86e2
edc94fa5e8c239bd9e5ad814faed3b3d0089f63d98ffe5c70e7401652e6636ca
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware upx
Link:
https://tria.ge/reports/201229-n9ahsv57ge/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
aebe91c90665a06a2f34a7b9ff543741e84beefcc005a6828c3a67e86366623d
MD5 hash:
4addb572fce3df61eedafcac9b66086f
SHA1 hash:
414a4ff1aeba5aa84e57d6b1c6ba1c48e6a557df
Link:
https://www.unpac.me/results/cdb70f11-e2ff-4564-af89-4be53de131ed/
SH256 hash:
1b991223cec62ef7932bac328f80038d6c0fcd58b9c697fded76073c8bbe3f48
MD5 hash:
c1e87c8c413c6bdfade5f34f0089def1
SHA1 hash:
e7326d471b5945cd7f8118e5f3f3e27f903dff99
Link:
https://www.unpac.me/results/cdb70f11-e2ff-4564-af89-4be53de131ed/
SH256 hash:
10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
MD5 hash:
84e7dd228cdd50b443e4553ba83eae10
SHA1 hash:
669d19caeb92ca4afa5ef25ca507aabdab0d506c
Link:
https://www.unpac.me/results/cdb70f11-e2ff-4564-af89-4be53de131ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

cab 0a9feda3fb4bdb055865f630d695cf4732f2e64c49512517ff22e8084595b0fb

Executable exe 10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28

(this sample)

  
Dropped by
MD5 a18621e92caca1a9b003e7bbd4522984
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0a9feda3fb4bdb055865f630d695cf4732f2e64c49512517ff22e8084595b0fb
Cape
Cape
https://www.capesandbox.com/analysis/109725/

Comments