MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792
SHA3-384 hash: cbb25ba88f92d21329f7b85877fb4108fa069f2aea441268bab9ba28734792ad32b9e166573ccbc0b4f21d98fcab3751
SHA1 hash: efae6830c56a95c2c0333510471670770b6fcb02
MD5 hash: 95aef1c92519b30f7efe3a138d68f32a
humanhash: william-fix-chicken-zulu
File name:FarEastSingapore_QuoteRequest02122020.exe
Download: download sample
File size:714'240 bytes
First seen:2020-12-04 06:36:49 UTC
Last seen:2020-12-04 09:14:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:cIncX9gjWbgosJwd4Tu1J09dJB+nYm+JPa40hAIRoeL4ZXGgOw:1g9B3k841JQnYrJ+tLL4Z2gO
Threatray 11 similar samples on MalwareBazaar
TLSH 89E4017162A97BA5E6765FF4A42134410FB5717B5A70E38DACC210CB22ABB00DF91E73
Reporter fabjer
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106705/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.405.14648.11189.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Creating a file in the %temp% directory
Reading critical registry keys
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/555386
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AntiVM_3
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326791 Sample: FarEastSingapore_QuoteReque... Startdate: 04/12/2020 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Snake Keylogger 2->44 46 Yara detected AntiVM_3 2->46 48 6 other signatures 2->48 7 FarEastSingapore_QuoteRequest02122020.exe 3 2->7         started        11 %nmoufstr%.exe 3 2->11         started        process3 file4 24 FarEastSingapore_Q...est02122020.exe.log, ASCII 7->24 dropped 50 Injects a PE file into a foreign processes 7->50 13 FarEastSingapore_QuoteRequest02122020.exe 15 8 7->13         started        18 FarEastSingapore_QuoteRequest02122020.exe 7->18         started        52 Multi AV Scanner detection for dropped file 11->52 54 Machine Learning detection for dropped file 11->54 20 %nmoufstr%.exe 14 2 11->20         started        signatures5 process6 dnsIp7 32 checkip.dyndns.org 13->32 34 mail.fsicibd.com 203.188.252.35, 49735, 49737, 49738 ISN-AS-APISNInternetServiceProviderBD Bangladesh 13->34 40 2 other IPs or domains 13->40 26 C:\Users\user\AppData\...\%nmoufstr%.exe, PE32 13->26 dropped 28 C:\Users\user\AppData\...\%nmoufstr%.url, MS 13->28 dropped 30 C:\Users\...\%nmoufstr%.exe:Zone.Identifier, ASCII 13->30 dropped 56 Tries to steal Mail credentials (via file access) 13->56 58 Tries to harvest and steal ftp login credentials 13->58 60 Tries to harvest and steal browser information (history, passwords, etc) 13->60 36 checkip.dyndns.org 20->36 38 162.88.193.70, 49740, 49741, 80 DYNDNSUS United States 20->38 22 WerFault.exe 23 9 20->22         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792/
Threat name:
ByteCode-MSIL.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 20:29:46 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6xqyjpb5w2oz2rnxdfvncumvrgn776qilqd6b2zl32tmys4s6ja._file
Verdict:
unknown
Similar samples:
2c0c11555412e75e830be16688aba26096a7110a3befefb865ddf5410a89a297
4bc5afb7fa8639008d294a8afb8f42531bfcf084398600500bdc81533602c760
5192ad844549de866d34a6a739e6171acd2eabaab69230db37c931efd85b390b
5e74989efa96ead9311c5927e6f6a2be657a418de923461ec520d09aeaee970a
61b69f7d85ced51c8f0aedc90a74cf60ceb166ee2b4eec7b0f559a8eda47ce48
6fe5e475ec18550353f2e1e2affdbeb8ea72603f9059af42c36ee24f4ce08c32
76c7edf5852cfb7559a3886e0df7dee4422a624403630a60b7584bbd050c89b6
89f7219c6aed63932df5feb7a41fb92f3ef7ef2885b9508a612d59644792ccb1
df702434f7363b55d44177136c0700447932a6568f48c4638a772a1694055345
e385b8f5946a41469f49fad4aaeb98e510e79afd0ba6c8546c7b6548da61b8e6
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201204-kjtqrbvgae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792
MD5 hash:
95aef1c92519b30f7efe3a138d68f32a
SHA1 hash:
efae6830c56a95c2c0333510471670770b6fcb02
Link:
https://www.unpac.me/results/89d9d8d3-68c7-49d2-8dac-74a50d11ab9b/
SH256 hash:
b891014576c8a2ba871eeabf8215ccc5ae1962034b52c55505d0a56bbc785dd7
MD5 hash:
67846030b94069c254baadab6aa5392c
SHA1 hash:
3bb5ad3dd965e3c0a8d7ff3ce026ef86f23160b3
Link:
https://www.unpac.me/results/89d9d8d3-68c7-49d2-8dac-74a50d11ab9b/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/89d9d8d3-68c7-49d2-8dac-74a50d11ab9b/
SH256 hash:
3759c3c375638e2351f9fb1302b65cf9639eda40c730c37b8e1ff3c07a8464c8
MD5 hash:
4d2f9d58cb4c13575e69f5786ceb0f14
SHA1 hash:
d1ea751880a634c22342ecb8e5eb4b7f5c2171b6
Link:
https://www.unpac.me/results/89d9d8d3-68c7-49d2-8dac-74a50d11ab9b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 0e143bc1d4663fbc584a9675232ab5db0cfa76065e6a2ed3e9900ddd7b5a1674

Executable exe 27af0c25e1edb4ecea2db8cb568a8cac4cdfffd042e03f07595ef536625c9792

(this sample)

  
Dropped by
SHA256 0e143bc1d4663fbc584a9675232ab5db0cfa76065e6a2ed3e9900ddd7b5a1674
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/106705/

Comments