MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

IcedID

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed
SHA3-384 hash:	4677a4a909632204d6349b612e04f406630dabfed29098665e10d9a10e64c026b4cd0cb724dc6c52c92dba03ac867d8a
SHA1 hash:	a117ebc1e8733fd1ee8a54cdf8d78b0eee3774f7
MD5 hash:	4ad5da3c74db6614aeff9d4d46a1ef24
humanhash:	arizona-network-cat-monkey
File name:	Purchase Order.exe
Download:	download sample
Signature	IcedID Create hunting rule
File size:	906'240 bytes
First seen:	2023-06-19 16:53:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:R1BYqtm8OqKwbOSdXD85UYSIJIru9N8MC:x+8OGqSdXwhSIir8
Threatray	1'810 similar samples on MalwareBazaar
TLSH	T11E15D03D76640E63D6B946F74041327147FBD91A2B6FE7C4ACD2B0EE6BC0BA4560260B
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe IcedID

Intelligence

File Origin

# of uploads :

# of downloads :

330

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order.exe

Verdict:

No threats detected

Analysis date:

2023-06-19 16:55:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cad44297-193b-4a20-ad45-a2be4195630e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/400622/

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.7070.10506.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a file

Unauthorized injection to a recently created process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/6490882b0ae9551c77ed7f2e/reports/fe2a9148-958b-4ad5-a211-44f11c94e3dd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/608e0958-b5b6-4ba2-971c-e302b5a6fd56

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1257593

Signature

.NET source code contains potential unpacker

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-06-19 09:26:55 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 36 (69.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f2s7224lankmswsbi4fors4bnuh7wynwwngnqj77ufqmsy5ykdwq._file

Verdict:

malicious

Label(s):

formbook

icedid

IcedID

03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13

IcedID

22515e24bf09d7d7b9ed02436f05853d5174aac248eb79c2b32a82096c8b30a3

IcedID

2df55ec2cbfe5ba2ddfd9a597a1c2dcfe3c91f211ba611180c97443773f79732

IcedID

34a8585e0643993caaaa6c3fcd9933354087422062d3c887dada1d65b570bfb3

IcedID

70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1

IcedID

a022bc0ad88cce0b7ef8c68c7602003ff4150006503291b7ead2119ebdecb36d

IcedID

af7efb93740b9b9ee4cd6580a3eefa8298558c9f06b463eb44b03394cde441d5

IcedID

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d

IcedID

+ 1'800 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230619-veh37sfb52/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

70382ea1b363da419e2b0e806739138db40b4ec2ea276de2f1aefbd46ee66ac9

MD5 hash:

c260a705d14d1209ee29f226099010a1

SHA1 hash:

f7a97ae4da5562d1064bc7c94d7b68e184361bcf

Detections:

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

Parent samples :

d96b4d0c1efd573f0833df766811861d8b116e92383da4543993971306ecbe4d
70d226c93cae74dfc4fc991b3fc74957cfb08881f53c232ed87e0d22cc5e30f1
76541f045182cd4f956ea38e70aac522dd8cc95bec94eb16ff435ac732da3b97
22515e24bf09d7d7b9ed02436f05853d5174aac248eb79c2b32a82096c8b30a3
2df55ec2cbfe5ba2ddfd9a597a1c2dcfe3c91f211ba611180c97443773f79732
34a8585e0643993caaaa6c3fcd9933354087422062d3c887dada1d65b570bfb3
a022bc0ad88cce0b7ef8c68c7602003ff4150006503291b7ead2119ebdecb36d
03f51ffa9c987630724a451ad872f52bf97bd257ad06b58b6194f5dec29c8f13
395133081793df5c1542b9e77a64a5271d1b358c1a7db674108a7624a9104809
af7efb93740b9b9ee4cd6580a3eefa8298558c9f06b463eb44b03394cde441d5
0335bef9440cae7dd60e617e31258a490b9598e3dfa1325bf79ca9eca5c4c720
4e8d1df344f5009ab35ebb5fed59649cce3e0a9b7f27f312a7cc854eb74b889d
02dc237cae6224ab8277187f6574215e15b4ddd4bf5b2bddbedaa95fc077e4e2
14bd08ddfd5f3fbeffbe9adacf4662f83267492eb8a2ca70a5c7613050039dc9
3c4e179c3ad40c3916a358a7115d8b4ad6d957cb57cecbba7c979057e5370748
16ef953132f6f51c904ccd3e04c933c20110c1dcbab443059df7218392291d5f
2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed
0978bd6c3a575dd054cd139eaecc851695800c859e61ed340b47c9d5bf0d0d38
ce9a0c42305d137c27b4f369996a15387ae6f0d1e391116f54e7733918083239

SH256 hash:

69ae0d2e1c3e2bbbe5183e41b3ac08a711b71c2740e59fab69abc6b463b249ae

MD5 hash:

4fc5c70a26e153516338b2bd4a6df5fb

SHA1 hash:

6d7e91edb55a50e3aeacf06752101ae672badc50

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

SH256 hash:

52f358d201e81d3a0391cedd3042e2f957555b77aa49559f7fb810bbb7673ba1

MD5 hash:

c785ddc46141af772c75101d17c46a41

SHA1 hash:

e248723b6f60cc7607980d07172b64c33b2b2f15

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

SH256 hash:

24b077fd9b344cd944a736f24ada8b80c7285f7343ff9dc56b58769bde27e4f6

MD5 hash:

64fcc151459a284a183dbbc044aa2142

SHA1 hash:

a33fa55f857e654bb5688c116680217e673bb600

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

SH256 hash:

090b7664843a3809aac0c97dbc7200ce5845aa3136f3cc6591b27789270316ba

MD5 hash:

c09f231a12050b4daeeaa3b340db5421

SHA1 hash:

875f4920e139dc1b4b28ab50a3a218f4451aa0ab

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

SH256 hash:

4c2a667b10785028978b6577b2a5c2b79cc7387256533801158efeaef0cae281

MD5 hash:

fb1fa47ba7bd7a56029f8ede724cb575

SHA1 hash:

3ad6afa24feb46af04c6ca886669cfc2aab1935d

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

SH256 hash:

2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed

MD5 hash:

4ad5da3c74db6614aeff9d4d46a1ef24

SHA1 hash:

a117ebc1e8733fd1ee8a54cdf8d78b0eee3774f7

Link:

https://www.unpac.me/results/7c524787-00aa-4475-a1e9-53eb6198b2f0/

Malware family:

XLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2ea5fd6b8b03/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2ea5fd6b8b0354c95a41470ae8cb816d0ffb61b6b34cd827ffa160c963b850ed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/400622/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample