MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22468aa853a066a98d83b1e29f7ab32b85e851159dd363fd8d4bc65d93296b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22468aa853a066a98d83b1e29f7ab32b85e851159dd363fd8d4bc65d93296b3c
SHA3-384 hash: 543012b30486d9ec3e1cfa36d5e25dae2e26c930345bf237a18de47c61832e091658da3c7887dc3d652b9449671d5287
SHA1 hash: e9619b238a01b38df12625fac6d438e6b1e3998e
MD5 hash: fcb8f7846d3d2a3268a0c0761c78f74b
humanhash: lion-cardinal-wolfram-pizza
File name:purchase order.exe
Download: download sample
File size:273'408 bytes
First seen:2021-10-21 06:16:56 UTC
Last seen:2021-10-21 06:42:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:26Uqd2GhNcbIu495alGeH9stGYfInwjsH:TUi2iN7bjalriIYfo9H
Threatray 6 similar samples on MalwareBazaar
TLSH T16A449C46325C81F5DB382A7B7D93930D3BA23CF5A943D28D6AD2F19A19B13618D305B3
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
132
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198987/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617105e0db358dd15ecc1e14/reports/ef701a92-c55a-4de0-8e75-67f6627c5979/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c9284597-d8fd-4c53-a467-8a15c7835f15
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/874350
Signature
.NET source code contains potential unpacker
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 506773 Sample: purchase order.exe Startdate: 21/10/2021 Architecture: WINDOWS Score: 76 26 Multi AV Scanner detection for dropped file 2->26 28 Yara detected AntiVM3 2->28 30 .NET source code contains potential unpacker 2->30 32 4 other signatures 2->32 7 purchase order.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\dZWWVu.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\tmp3C87.tmp, XML 7->22 dropped 24 C:\Users\user\...\purchase order.exe.log, ASCII 7->24 dropped 10 schtasks.exe 1 7->10         started        12 purchase order.exe 7->12         started        14 purchase order.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22468aa853a066a98d83b1e29f7ab32b85e851159dd363fd8d4bc65d93296b3c/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 06:17:07 UTC
AV detection:
10 of 42 (23.81%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ejdivkctubtktdmdwhrj66vtfoc6quivtxjwh7mnjpdf3ezjnm6a._file
Verdict:
unknown
Similar samples:
02e1afef37de9e6f85db592f56f13691548c8f796127e0d2c227c4f65b0033fc
0ba4135b330637a98320e9ee0655cd3fa0423998e9fdf54b0e8e0ac85ba0f93f
3bd0fd9a08763582606b71a86c2bb4a4fc178559e2ac4e3b9ac999bdc95d65b1
6a6450c020fa3f553aa941e737be918d75d69dd930a4c4d5757ddfc1efd066ba
bc83ce6a585ef0217f5088832b31be76b70a4e3b2c6e8212995c64cf71b7ded4
fdd016077ae901b6249b71415d30c134ff7c7a44e00c2e78027d2537ac9be019
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211021-g134lshhf6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
a8501955767b3622e2633b6e218c5eac40d13fbec360b6c81c2cd375ffd25dc8
MD5 hash:
0637339bbb841554162ac0fa65ef1562
SHA1 hash:
e6ebe903ac915357ab4a1bf55323249e0b97706f
Link:
https://www.unpac.me/results/f55d19ca-e06d-4d38-917e-6679ae3bc6a9/
SH256 hash:
6fee24a1398bb022d0c5b9059b9b21e7636fc3861866a583d0e49b7d0ca56d58
MD5 hash:
36e2528c3cb3ad299ea481283687cdd6
SHA1 hash:
1981340bc7be1aa8f78f942fc6f0724838e35a87
Link:
https://www.unpac.me/results/f55d19ca-e06d-4d38-917e-6679ae3bc6a9/
SH256 hash:
22468aa853a066a98d83b1e29f7ab32b85e851159dd363fd8d4bc65d93296b3c
MD5 hash:
fcb8f7846d3d2a3268a0c0761c78f74b
SHA1 hash:
e9619b238a01b38df12625fac6d438e6b1e3998e
Link:
https://www.unpac.me/results/f55d19ca-e06d-4d38-917e-6679ae3bc6a9/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 22468aa853a066a98d83b1e29f7ab32b85e851159dd363fd8d4bc65d93296b3c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198987/

Comments