MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199
SHA3-384 hash: 45c33b0dc1506d9d8c26ec8bcab447b7f2e35f2568fe63f7d28d3f5e3e96216f4116478c5180f7f81d1d18830fa1ddd3
SHA1 hash: 418b7a4a267fdefa31f3d092a4d3ad9cc711b141
MD5 hash: c1dd1199eff02d160e47cb7c8a4ad20f
humanhash: bluebird-magazine-west-hamper
File name:WESMAC_PO from Omegabv.com
Download: download sample
File size:366'592 bytes
First seen:2020-08-07 13:27:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:oklyUlP4osXBDh7txQMgWUbD4PJGjd7gCSybp1dOLgiWpiA873RYNpqM+5ns695m:h7eDtbxJAVgCpbrdOLgrpiA8mqDs695m
Threatray 504 similar samples on MalwareBazaar
TLSH 0D74AE5876ACB78EC1EB8E75497C3C10AA20B8275A27C34B7587216C5D5DBCA8E407F3
Reporter abuse_ch
Tags:com HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway20.websitewelcome.com
Sending IP: 192.185.64.36
From: Van Dijk <sales4@chinaweinuo.com>
Subject: Re: ORDER OF GOODS_WESMAC_PO from Omega BV,
Attachment: WESMAC_PO from Omegabv.rar (contains "WESMAC_PO from Omegabv.com")

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41657/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Launching a process
Deleting a recently created file
Deleting of the original file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/415320
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 13:29:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fcuulmfpwsp6thniuolunialspa2fqgvxbzv4eoymf55nfvs6gmq._file
Verdict:
malicious
Similar samples:
082433d5a03c1b8d3afcddfd4dade5d0d14366ad0d1e8d04c2f70fb40558b9cf
2b911df18337cc69e42d8c16ab58856af2722c7618146a491c9efe54aa73fdbe
4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889
6ed38f127b3a25cff62c0855aeba85a7134a400b1dd4ef06412c2a96729b9991
76021aea3ce29a8755d97b4c13d16a7bcb9eb0bd6e1a2d1df62ffeb8fb9397cd
92be89b620f61dba7a3c69c6e597787a02b9b8f7e0de333c589ce5048cbd8e6e
a7ed52eaed3c431823109509515c36b6bf45aab634606980509950674f018f88
b8860da111fd60fd6bcb2d6ffd3f1a62357d1da8888b766726bcf0919ba25e3e
e91568f40d148d2bdf04cf14156febbbb0d72e10b876c38d0900e0a66cb8706f
febbc268d54ae4612531ceb696c39bd8c0a60ea22d2877751eecce32bd651257
+ 494 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200807-6ddywndkzx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar f76d2ddf23320bee3f76fd2d4967e5b95b45674eaa690a5cbf7cb6e7ce66ad1e

Executable exe 28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199

(this sample)

  
Dropped by
MD5 13584fb80edd408206024482b33027e4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41657/
  
Dropped by
SHA256 f76d2ddf23320bee3f76fd2d4967e5b95b45674eaa690a5cbf7cb6e7ce66ad1e

Comments