MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
SHA3-384 hash: afab5acb4a19e77466c5cba56e7c9640c68f727c5b733f732366a08cbb67003a08c3712b161153540fbf8bea35ec761a
SHA1 hash: 3b0c216414c38682fae17a57d5c11c3264ff668a
MD5 hash: 509a1b3637f104f543349d3c1ae5610f
humanhash: east-connecticut-comet-nineteen
File name:ORDER SPECIFICATION AND DRAW.PDF.exe
Download: download sample
File size:1'537'536 bytes
First seen:2023-03-01 11:31:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bbac62fd99326ea68ec5a33b36925dd1 (46 x AgentTesla, 38 x njrat, 27 x Formbook)
ssdeep 24576:K4lavt0LkLL9IMixoEgeaQ/AFaShGM5rhCWzbgiyteVq9MmCS:dkwkn9IMHeabphGMBDg9tSaPCS
Threatray 224 similar samples on MalwareBazaar
TLSH T1F665BD4267898251C3B35173BB51A7627E6B2C2436A1B0BA1FB53E3FB570C63531A623
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b0b0b2b4e2988c96 (7 x Loda, 2 x njrat, 1 x LodaRAT)
Reporter 0xToxin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ORDER SPECIFICATION AND DRAW.PDF.exe
Verdict:
Malicious activity
Analysis date:
2023-03-01 11:33:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6a998078-4712-4597-aebd-6fdea4101ad8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370784/
Detection(s):
Txt.Malware.LodaRAT-9769386-0
Create hunting rule

SecuriteInfo.com.VBS.Dropper-4.UNOFFICIAL
Create hunting rule

Txt.Malware.LodaRAT-9978072-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit greyware keylogger packed shell32.dll
Link:
https://www.filescan.io/uploads/63ff37b3bfec0852a68e27f6/reports/ff83a051-b8b2-429d-a348-673874d48f52/overview
Verdict:
Malicious
Labled as:
AIT:Trojan.Nymeria
Link:
https://www.hybrid-analysis.com/sample/22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1bc245e0-7dc8-46f2-af34-6bf63eb725ff
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1184837
Signature
Antivirus detection for dropped file
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07/
Threat name:
Win32.Trojan.Nymeria
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 11:32:08 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
19 of 39 (48.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eldstwhzbnu3o3k2h5ps3tumcsp7mljf6k3nrvqksvl5jmhl3qdq._file
Verdict:
malicious
Similar samples:
16475b2dabce04660e1f6127adf54827b7cf024f4cded92b9be6e07c85ae7a89
2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97
2c916a10a631eaf7666091451c1b618a4bc6e2c159306d9723b6f0ab54e579fe
3888e180beb35b0ebef5b78b77e27f47879ea46b32adee17e65278d3d3a7fe47
71fda930ad176497eebd6861cc2fb6253fab2ebd8d16df1b8acfbb2250f3e8a9
74b86bc238ebe4299858163c95541dd07cec75a2960b74fdb78940c9aee38864
98d1a1ed8da6588112a805e5864e7ff29031d5bf9db49486a63fc7d652e66f8e
eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
+ 214 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230301-nnad4afe5z/
Behaviour
Creates scheduled task(s)
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Drops startup file
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
MD5 hash:
509a1b3637f104f543349d3c1ae5610f
SHA1 hash:
3b0c216414c38682fae17a57d5c11c3264ff668a
Link:
https://www.unpac.me/results/2a7abf10-59f8-4f4b-8fab-b7c6d3856c7f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/370784/

Comments