MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85
SHA3-384 hash: 8f9abadd116b9ed30c5d97317afd5818d2bc8521c273e07fbf27d2a62526d1c82607c875498a57e54a981e7b5845df66
SHA1 hash: c20d9e818f912fc4f47ed1e85718c6196b911801
MD5 hash: 8386b787dfff37c3e7bcdcc03a0a7487
humanhash: diet-venus-iowa-july
File name:image.exe
Download: download sample
File size:516'096 bytes
First seen:2020-08-14 08:53:52 UTC
Last seen:2020-08-14 09:42:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ad025296d6ab80f1c1f4bca0e2c350b
ssdeep 12288:zRBZegfhFC546A9jmP/uhu/yMS08CkntxYRT:EmhFCyfmP/UDMS08Ckn3C
Threatray 618 similar samples on MalwareBazaar
TLSH 4BB49C17E620B50FE9A6C4B0BD7592AB19163D774286AD87B7C15F0E60722D3A8F070F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp124.iad3a.emailsrvr.com
Sending IP: 173.203.187.124
From: ASB Bank <no-reply@asb.co.nz>
Subject: Payments for a law firm.
Attachment: image.zip (contains "image.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45669/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.3378.30119.17643.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/429082
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected Kutaki Keylogger
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85/
Threat name:
Win32.Trojan.SpyAgent
Create hunting rule
Status:
Malicious
First seen:
2020-08-14 02:26:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=exyeedjvkgmfk2p3k5exgaoh2l3jccb5ommnfdnvxkzorjvaxocq._file
Verdict:
malicious
Similar samples:
110fa520e5db8df04353392a845e64808d2ce2a95de989bc44e2d66abadc1497
33e6e7a8f9bd94fa61311b96d6d87c77acae7ab7c42ef47e03be3a14ff7d492c
363755d7a78e52ae1314c7c4a485048269a9680e93bc4cb82098ca6139bfd912
4fbe77777093608a25b248db192e96bb062da46835e2739c07922c39cfbb0d57
5bd645a7783a25d2caa48ee448ad1e47c00ae25e5a7fd9b304ad9422e9e79fd5
6df8ea96addb668a51442b4b3287c1294f0e834333c068f3853cb95016dceaeb
77985fca7ae6b60c8025ba326e3bd1d9949c3fb32b9ca0f99f040be633823a7c
b48c6ee90905955194c2864cd4ff8618c7df2a301df6740ce9f9065f5cb04fa9
db5f388785aeec055189f9c7ee6ce371f399c1a67fe41a653308fcd47d86f90e
e33166cf9f69cdc54b3ca9721a6837d961ee42285c766561a9ff8a1719f39405
+ 608 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200814-gjwvyyg1za/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 614b1804f29b1fd1aaaf62dd34c9a731bd43d68f47407e0ca2aec09a246e4101

Executable exe 25f0420d3551985569fb57497301c7d2f691083d7318d28db5bab2e8a6a0bb85

(this sample)

  
Dropped by
MD5 78e809c55f5df7c849de4218d153ad21
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/45669/
  
Dropped by
SHA256 614b1804f29b1fd1aaaf62dd34c9a731bd43d68f47407e0ca2aec09a246e4101

Comments