MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Renamer


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9
SHA3-384 hash: eea67131ed8c43a0f7fac5a682c3c689ecedfe607ffb55f3894ff115bad75f51b72a10b7f2d75afa0a147742cc2c0e69
SHA1 hash: 8c422abbefb516b0e4aac85fbc98e639904508fc
MD5 hash: e2c801b8df85d1dd8254b86ae2a61b6c
humanhash: wisconsin-lion-hot-winner
File name:DUE INVOICE.exe
Download: download sample
Signature Renamer
Create hunting rule
File size:1'272'320 bytes
First seen:2021-05-05 18:23:43 UTC
Last seen:2021-05-05 19:03:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:EooLAYDk28KMbyVTMxGu2hGM5kVA/fT2ettf02r:EyCTN5kVGtttf02r
Threatray 42 similar samples on MalwareBazaar
TLSH 4D45CFAC755869F0D35B5E22A3CF0C0683651174A93BE90A8F6013FA1A57F173E39D8E
Reporter abuse_ch
Tags:exe Renamer

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.17877.21073.30429.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling the 'hidden' option for recently created files
Replacing executable files
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Enabling autorun by creating a file
Infecting executable files
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/712415
Signature
Antivirus detection for dropped file
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405135 Sample: DUE INVOICE.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 88 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 4 other signatures 2->47 7 DUE INVOICE.exe 6 2->7         started        10 Paint.exe 5 2->10         started        process3 file4 27 C:\Users\user\AppData\Roaming\ubRWFYC.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmpA0AE.tmp, XML 7->29 dropped 31 C:\Users\user\AppData\...\DUE INVOICE.exe.log, ASCII 7->31 dropped 13 DUE INVOICE.exe 40 7->13         started        17 schtasks.exe 1 7->17         started        49 Multi AV Scanner detection for dropped file 10->49 19 schtasks.exe 1 10->19         started        21 Paint.exe 2 10->21         started        signatures5 process6 file7 33 C:\Windows\SysWOW64\7za.exe, PE32 13->33 dropped 35 C:\Windows\...\ACRORD32.EXE-41B0A0C7.pf, PE32 13->35 dropped 37 C:\Users\user\AppData\Roaming\Paint.exe, PE32 13->37 dropped 39 19 other malicious files 13->39 dropped 51 Infects executable files (exe, dll, sys, html) 13->51 23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-05-05 18:24:12 UTC
AV detection:
13 of 47 (27.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fc4ivkplrigcnn3yw5wpsh222kyfyaj7zpxcldc56d45emqaxp4q._file
Verdict:
suspicious
Similar samples:
130a875f36a8c9c6b7f9cf7ef2d863837af130538770c76d92b6016b8a00a6c0
Renamer
1f4349a08e548a9dbfc58aecfae2bf5aca9c3a6c765afc641447acf4818bb07f
Renamer
3c661c7fcc0547fc73f4d07760c6af3fc284e58dd899ee251a1e42bf19925b39
Renamer
4ae09441287bb601114041d8eec7857f10882dfcb48639c155d9a6969da9c5f0
Renamer
93a1f0fa0637acd096c86ec4d7d3c6f73f689bf41f3cd16b5e5bcce48dcdc540
Renamer
9662d1e4c72efe73a1f203ebead6069990342a4da6314737e3a02b08e2d68075
Renamer
b79575224117cddb4e62b8aad2f2b508ec66ba70b2f86f1d52bdfb7003564fcd
Renamer
f10601e3ad39608c71c4c8fe2eba750b990abd187b79d51e4930b3b2ed69ac52
Renamer
f61aad237c0506a3b86a566467ed40fa61e3891af970490004ab0354b63fd22f
Renamer
fa19f07b5cdf08055f110390e930f284f91222fa4c1341c6b9b9d85b21e30837
Renamer
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-89ylwd8cba/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Drops startup file
Loads dropped DLL
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/e3a86e84-a7eb-4d9c-b057-33e0e2be6324/
SH256 hash:
9b358344f42d126e956f94fd91c9457466edb8e00af870b903283c0a88582fbb
MD5 hash:
bdb654f73fb327096100b39b19d43e63
SHA1 hash:
24178f56c3626b6ef3b1fb110588226530aa0b39
Link:
https://www.unpac.me/results/e3a86e84-a7eb-4d9c-b057-33e0e2be6324/
SH256 hash:
5a67903575d4725a784f75ec2fb984f64262713783cb813dd1b98494c3480697
MD5 hash:
0c44de3243ac87395573fbf79a12efdf
SHA1 hash:
1a3b53bc6356d71fc483347e81586796d7213cd9
Link:
https://www.unpac.me/results/e3a86e84-a7eb-4d9c-b057-33e0e2be6324/
SH256 hash:
28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9
MD5 hash:
e2c801b8df85d1dd8254b86ae2a61b6c
SHA1 hash:
8c422abbefb516b0e4aac85fbc98e639904508fc
Link:
https://www.unpac.me/results/e3a86e84-a7eb-4d9c-b057-33e0e2be6324/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28b88aa9eb8a0c26b778b76cf91f5ad2b05c013fcbee258c5df0f9d23200bbf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_Renamer
Create hunting rule
Author:ditekSHen
Description:Detects Renamer/Tainp variants
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments