MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
SHA3-384 hash: 45d77bd20c0a46d9059c616526f2db6ccb7c48a60267253e7139620aad4e738ad35614916fb2fad0e0ef9845e501312f
SHA1 hash: 2cb577232c33f07815b9e4491aeb4d89eec9d353
MD5 hash: 487ea12043793b69aa642ab240b3b6fc
humanhash: iowa-eight-bulldog-washington
File name:QUOTATION. PDF.exe
Download: download sample
File size:1'223'168 bytes
First seen:2024-01-24 14:02:27 UTC
Last seen:2024-01-29 09:24:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bd3825b6e0410966f0c31f64b6c7644a (36 x AgentTesla, 15 x Formbook, 6 x RemcosRAT)
ssdeep 24576:rAHnh+eWsN3skA4RV1Hom2KXcmtcFg3Tf/xvCE:Gh+ZkldoPKsacij/xv
TLSH T13B45BE027392D03AFFBB92B35B69B20156B97D244123852F13D82D79BE701B1673E762
TrID 49.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
22.7% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon a065646aeec646ec (21 x AgentTesla, 13 x Formbook, 5 x DarkCloud)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
304
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/472757/
Detection(s):
PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit fingerprint keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/65b118a887258803c23dcbf4/reports/d60581ae-5729-4837-b489-a73d97b5f085/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5f17f49a-befe-4457-bb78-33fd6b1c8e39
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1380354
Signature
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2024-01-24 14:03:11 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cvcbhi63gxf2ehpgcjldcncgy6z2agbdjekdgxn3kzg7yzltviiq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240124-rcqhqacbbr/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
AutoIT Executable
Unpacked files
SH256 hash:
1a3a9ffd38c34e7ec5dbfae22a6e2f6b2745f5528ede63339c8f7081d8e5895f
MD5 hash:
06866ba706f4b1c6cb3aaadb91a39546
SHA1 hash:
36766bd29900a2647cdcfebbd23bd80bfcb438a2
Link:
https://www.unpac.me/results/e203bfd2-621c-4f49-b0b6-4cd6604a0f29/
SH256 hash:
a2d849cbecb3dc496f35171e95512b83b1589ef788e178533cff772fa8a33a40
MD5 hash:
d11599cfbb84913f133096912f642a92
SHA1 hash:
16e239b541f11c603aecd6839c603ca3a8312c55
Link:
https://www.unpac.me/results/e203bfd2-621c-4f49-b0b6-4cd6604a0f29/
SH256 hash:
154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11
MD5 hash:
487ea12043793b69aa642ab240b3b6fc
SHA1 hash:
2cb577232c33f07815b9e4491aeb4d89eec9d353
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/e203bfd2-621c-4f49-b0b6-4cd6604a0f29/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 154413a3db35cba21de61256313446c7b3a018234914335dbb564dfc6573aa11

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/472757/

Comments