MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a
SHA3-384 hash: c8b03e40a321ee03f26400605f9367c2ca4646864f66f7bd8a43f01a6b1dba850ab8bae0f0ed507227fad1cb12f27b5e
SHA1 hash: 91ea8de1eea4b45679cedf7ecf6a0f008c40a8ca
MD5 hash: efd5b14babec0d6bfc2a738bd40e2873
humanhash: coffee-helium-ohio-nebraska
File name:INVOICE.exe
Download: download sample
File size:579'072 bytes
First seen:2021-01-14 20:22:19 UTC
Last seen:2021-01-14 21:35:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2087285a50d01bf3729a786c15ab23ed (6 x Formbook, 3 x RemcosRAT, 3 x Loki)
ssdeep 12288:Q4uWZb2WKaW25JU+Ch5uhsUziKluR5exBwidq5GvmZ0+dSs:Q7w73M+Ch4iR5cBbiGN+r
Threatray 222 similar samples on MalwareBazaar
TLSH EEC4121872D2C0B2D475023068E9BB7305667C311A7495BFBBE8362F2FB13D199A6387
Reporter abuse_ch
Tags:DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.osmispee.com
Sending IP: 45.85.90.199
From: DHL Express Customer Financial Services<office@osmispee.com>
Subject: Customer Dhl Invoice
Attachment: INVOICE.gz (contains "INVOICE.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INVOICE.exe
Verdict:
Malicious activity
Analysis date:
2021-01-14 21:20:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7e97edd8-03b7-468e-8fe3-475ed72e1960

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112104/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.48175.25232.28237.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Modifying a system executable file
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/581853
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339972 Sample: INVOICE.exe Startdate: 14/01/2021 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 28 2 other signatures 2->28 7 INVOICE.exe 3 2->7         started        process3 file4 18 C:\Users\user\AppData\Local\Temp\...\file.exe, PE32 7->18 dropped 30 Maps a DLL or memory area into another process 7->30 11 INVOICE.exe 7->11         started        13 conhost.exe 7->13         started        signatures5 process6 process7 15 WerFault.exe 23 9 11->15         started        file8 20 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->20 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 09:58:57 UTC
AV detection:
11 of 44 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezvbp2tmeyenj3l3qsk7wod4mspgeismt24bwdlbthysw7343rva._file
Verdict:
malicious
Similar samples:
0854f5df5291e4abbcf7cc57f29b3148007ede15c53f61244f9dfefb9669dc96
2f5342dc12629b9db5c1f64b130401580d4a20a862be9293f80942d01c162f32
3a11a9e7276e2d3d9fccd3f6e5a5b46ea9e9fb82946ef89a3f5dc8ca9a243b70
4ed4c6dc0931fc532768d6b208faf7ed7281427c417a048a013c8a7104707582
53f89ac782afeef77891b25e92440050a0bb224ff1eb439ac787364335b661cd
5af5665fcaf756eec2ab43c07645c814438102dba39e782a030025635a8fb713
9888381eb68d98f0581ab81845f2fc9e15af6ba1193a131bdf60497e3a3d1247
9e98384954932a0a9e5f921f257029bf45f721b0d279c8432c4eb5f1bf507795
bce5cf4569147481b12df6d6448ecc1604a5ca28b76c49095b899f934f63cdfa
f05b74930aa9777625a66d2852fb0b690461ef0b5598d35b2d7959721456600d
+ 212 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210114-v83mlzyaws/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a
MD5 hash:
efd5b14babec0d6bfc2a738bd40e2873
SHA1 hash:
91ea8de1eea4b45679cedf7ecf6a0f008c40a8ca
Link:
https://www.unpac.me/results/c8800c3d-e902-422f-a054-a2db23c6b42f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 2e10054a5ee7f9c7746d526de88cfcc466f28c2c7c26512b3f21c0bc28e2efd2

Executable exe 266a17ea6c2608d4ed7b8495fb387c649e62224c9eb81b0d6199f12b7f7cdc6a

(this sample)

  
Dropped by
MD5 60918b39c57c2fdf70f29ac0ddc8c55c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112104/
  
Dropped by
SHA256 2e10054a5ee7f9c7746d526de88cfcc466f28c2c7c26512b3f21c0bc28e2efd2

Comments