MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296
SHA3-384 hash:	3533e334cb0ddf96f1f77656144cabc12ddccb90069f472163db55d12b47ee29a0a7b0660b09a803edce8d02cf9bc01b
SHA1 hash:	5e703ca93b1caef4cd32f9ec53a3a2622de41520
MD5 hash:	11b513314bf684e6881812ba99f03fa4
humanhash:	sad-timing-cat-summer
File name:	ORDER_REQUEST09467_PDF.exe
Download:	download sample
File size:	1'201'664 bytes
First seen:	2020-10-14 15:10:56 UTC
Last seen:	2020-10-14 15:57:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:seaJGGSIg0V8LrWWVb3Dh0Uybi6haQHif:sea8GSIgU8LrNN0Uy26aQC
Threatray	16 similar samples on MalwareBazaar
TLSH	90456B11560C6E97FBF88337A456673062AAFB115E20CF1AEDB725B91263B704B13E31
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mta06-mxf-kb.turkticaret.net
Sending IP: 31.186.28.26
From: Ruth Harrisons <abdullah@kahramansan.com.tr>
Subject: ORDER REQUEST
Attachment: ORDER_REQUEST09467_PDF.rar (contains "ORDER_REQUEST09467_PDF.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

70

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70855/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42629.7317.7058.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching the default Windows debugger (dwwin.exe)

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/491204

Signature

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296/

Threat name:

ByteCode-MSIL.Spyware.Stelega

Status:

Malicious

First seen:

2020-10-13 17:26:40 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dfywk2t5wvxx4fgz7fixnncnbji55olhxrun26zlr37nwzohmkla._file

Verdict:

unknown

Similar samples:

0b028d55ca928e454839e02ceefb464bcd6bb9d0520bd9ee6a4d021e1b314f79

3922c5b53b3f4d4b7cfd93c48d0f95d7f0de494d52b43019643403dcafccd80b

7891ae9d0d99198c2fa2e77bb5f937b22ffa4ffa83c6fbba6a012b7054b4b1b9

78a7aa0486061a57f3462f1cbdf590eb98ce0f062f6b7e3bd7d344e408f618e1

ae34d7562b8f2ad4c5d31e0c962d5dadd8433a654dc698d8ac4601bbfacd4a98

b2a9289cb0dcecea670e1e284902963133a07267ee687ccd8b8e4f5bed9a3b43

ce1eacfadbf8ddc471b548902421228b2f9173bfde4d156ed1ec27fdbc187520

e0ab0c0a0a8c8e39df896a50ff45c88d66418e7d091e54a28d9027e407d0b3b4

e4c0a05633312d7511731bd4f16cf30be9789e037794d767de8e021bfd5b742c

ed2ab3d13808c498b74952c97374630967e06fe72c945feb031476bfd9403ff8

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201014-azqp421w8e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296

MD5 hash:

11b513314bf684e6881812ba99f03fa4

SHA1 hash:

5e703ca93b1caef4cd32f9ec53a3a2622de41520

Link:

https://www.unpac.me/results/a8c34142-3730-4e31-b834-2dad6a881b7b/

SH256 hash:

01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a

MD5 hash:

eb593633270aa19162cf64663df9dd6c

SHA1 hash:

2ec57181471ff10abe9a04239ca3ea86ea4252b9

Link:

https://www.unpac.me/results/a8c34142-3730-4e31-b834-2dad6a881b7b/

SH256 hash:

79efd36f07ff6b5090d39d9661280fc564243318441b24824a4f68c4a0557c50

MD5 hash:

3ef7813ff43a4a22faba227f8e5c2bda

SHA1 hash:

d6c6f0437a928f2c18e2a5c80e380adabdf9844f

Link:

https://www.unpac.me/results/a8c34142-3730-4e31-b834-2dad6a881b7b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 9c8f739aa7480fecb6ba85b75a49aa7098949ee22f4fdd794e5cbc31150d8285

exe 1971656a7db56f7e14d9f95176b44d0a51deb967bc68dd7b2b8efedb65c76296

(this sample)

Dropped by

MD5 abb87f2dd63d96c7deadea46caac34da

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/70855/

Dropped by

SHA256 9c8f739aa7480fecb6ba85b75a49aa7098949ee22f4fdd794e5cbc31150d8285

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample