MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e043413f5c0ba21ec762bb6007cf8fbb93c7dc25eb4bcd03d276d128f310cfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e043413f5c0ba21ec762bb6007cf8fbb93c7dc25eb4bcd03d276d128f310cfe
SHA3-384 hash: b75b3928fa2e29e69f18d1276e633141bd1b33481f037c998a8a26dcb26abe8331a799a7ee2522b92d4a775063e1e950
SHA1 hash: ed11e243b07b7c6e4e7fdbd917fd0e19022eee28
MD5 hash: c7715af388ba8ddd7a23d88d6b26d0ea
humanhash: oklahoma-leopard-romeo-cold
File name:Timetable_Overdue_Account_Settlement _pdf.exe
Download: download sample
File size:271'872 bytes
First seen:2020-06-03 05:09:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:oAaUxhNMJx1Mp1YjebV7Nr6JD6u8w/CpLmj8NigJPIQqJf1oFCrL391+ondYJWPC:1aUDG3Kp1Y6VEJD6LpiVLOQVP1m8
Threatray 422 similar samples on MalwareBazaar
TLSH 52446A1632C95836C17D4233263643C0E7769E063693E71F69EE63185F372877B1AB8A
Reporter jarumlus

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 07:43:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
19 of 31 (61.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fycdie7vyc5cd3dwfo3aa7hy7o4ty7ocl22lzub5e5wrfdzrbt7a._file
Verdict:
malicious
Similar samples:
073c3d60993b41a1ea5847c06dab48a4bf4e3da87e74d26d8d51a1c11e0dae0c
0776457840077a9b6ac113b23ebf60c224c3c7b4807c6698fdfe764531d285be
0f455b48c43367bf28076037a2d441e78f81143ea5067f144e7d5c6abb79dc73
18db348d2bc13a33da2eb37da197acc9072aab8a006ee052e5bfbc57ffc99cee
391ea7416464160ef2c7471149d584e4ae9cbd9fa2062cd4319481db7cf82cf3
6689bb01faa4b79ccbf36e24360b14f2ee181d2bf305b7ca59fd275109e92dc1
7501745bfca00a30575e2ea4219b88ef3d4b19ff684deefce5c50d329f9bfc51
b44ef73bf2306886ca92291cbbdc5b0d07d6878f9a1b3c84ce476ca69cc4532e
d7b266bb9eacabd128560d80eea9195b42b227df16d460f1c0e13ed6575ca627
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d
+ 412 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
agilenet persistence spyware
Link:
https://tria.ge/reports/201109-6zdghqvdcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 788ca3bd19c3c9181bf0e9eee1a92d5dd6ed21edc3472927ae6b374dca681a96

Executable exe 2e043413f5c0ba21ec762bb6007cf8fbb93c7dc25eb4bcd03d276d128f310cfe

(this sample)

  
Dropped by
MD5 d3ae16c91969d403243459d373bbb650
  
Dropped by
SHA256 788ca3bd19c3c9181bf0e9eee1a92d5dd6ed21edc3472927ae6b374dca681a96
  
Delivery method
Distributed via e-mail attachment

Comments