MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4
SHA3-384 hash:	2171d70bed22bbded7c167f4b658a89598005f9c37146ac52a5043821f7ca95f37eb5f197b2b6f2d0fe4a76705c07fde
SHA1 hash:	4d1bedd2ee3866c30f51b535b810b18fec030ce8
MD5 hash:	2980bd805988cdb7e1f67c881e10b06d
humanhash:	summer-july-echo-kansas
File name:	Halkbank_Ekstre_202110019_095125_132879.pdf.exe
Download:	download sample
File size:	74'168 bytes
First seen:	2021-10-19 13:37:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	1536:uMMDliFgmRxkV3ER2DmCHXufygYDaDInB/T:u6FgD3FrDaDIBr
Threatray	45 similar samples on MalwareBazaar
TLSH	T1A3735A006BDC15A0D57B4BB1EAF05121937677837622D73EA9C160EC09E378247E7BAE
Reporter	lowmal3
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/198522/

Detection(s):

SecuriteInfo.com.W32.MSIL_Kryptik.EHH.genEldorado.6423.17955.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Launching a service

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Launching a process

Creating a file in the %temp% directory

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

overlay packed packed

Link:

https://www.filescan.io/uploads/616eca3d9a5a1e91c5c67a70/reports/ea8df18b-3bd0-491b-9870-1e6562df473f/overview

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/c2b38f13-d02b-4d65-8084-14e7beae7c93

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/873783

Signature

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for submitted file

Uses an obfuscated file name to hide its real file extension (double extension)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4/

Threat name:

ByteCode-MSIL.Trojan.CrypterX

Status:

Malicious

First seen:

2021-10-19 13:38:10 UTC

AV detection:

11 of 25 (44.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eygpzl3ksdiillhpcgzqfynpyd7ajtz4xrib5qtjnehj43suehsa._file

Verdict:

unknown

2fa09ee57bb2b3072c552ac43e07870c16872501131dc2dcd366cbcb30eed59a

33d46a2829f5571bbfd8106c6ddd6c6bfd1d7d26721798ac8e617ab9ce3c4304

6d3f0ca9deedbcfa8eec86ba0907881c02c986e8535b56a59b870dd8a6cafa0e

71fd91125c6e138188f4f03e12569bce2994002b07d413d57229893e0a1cb39c

7890e1c690c7e7511f550915ed85e9f7b93bcf6733aeea6b6c636bb89676f3db

83023527528b968adce0ddd1e2ffe23e77c976e59c3cc78103e0249d1f422d43

b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52

b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f

f03dbeb8cf3b9c5181c71397b9b10f7b098ef97d40553e243265061bdb902a0d

+ 35 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/211019-qxeraaggdq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4

MD5 hash:

2980bd805988cdb7e1f67c881e10b06d

SHA1 hash:

4d1bedd2ee3866c30f51b535b810b18fec030ce8

Link:

https://www.unpac.me/results/388d61c2-7eab-47d5-b349-dfb0eb8ea859/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_EXE_DiscordURL Create hunting rule
Author:	ditekSHen
Description:	Detects executables Discord URL observed in first stage droppers

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 260cfcaf6a90d085acef11b302e1afc0fe04cf3cbc501ec269690e9e6e5421e4

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/198522/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample