MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a
SHA3-384 hash: 57ef49a05c812a5358e9a81ccb5c02e80217874adb5f6f657657e39fe29e36973e6f569a89e5a2dd05be9c00a6c5eab5
SHA1 hash: 9bcce6d689a3c51d3be1dd3d18916d80bfb67dd4
MD5 hash: 1d9dcacc61aaacca64e3776e9bb06e94
humanhash: kentucky-juliet-west-summer
File name:1d9dcacc61aaacca64e3776e9bb06e94.exe
Download: download sample
File size:387'584 bytes
First seen:2020-12-18 07:46:45 UTC
Last seen:2020-12-18 09:58:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 712f4a29c405ecb576101d367b2180fb (14 x Smoke Loader, 2 x AZORult, 1 x Formbook)
ssdeep 6144:lof7DeNUSfGgHCU/2McdfoI/ZX0rYfCzuCCMQZN/OdnFQ8+uXNvxsCBpYu+6ZfOP:UYV6MorX7qzuC3QHO9FQgd5sCBlfOP
Threatray 926 similar samples on MalwareBazaar
TLSH A78412801ED2DD7AC09523B8C83BDC90682278B1CFD83B994699F51EF836B87D40795E
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
New Order.doc
Verdict:
Malicious activity
Analysis date:
2020-12-17 08:23:52 UTC
Tags:
ole-embedded trojan exploit CVE-2017-11882 loader smoke stealer teamviewer tvrat rat
Link:
https://app.any.run/tasks/8139ef17-508d-43bc-b6f8-55e253aa5fd7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108313/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/566046
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Multi AV Scanner detection for submitted file
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332102 Sample: xWLGUQa6af.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 72 19 cdn.onenote.net 2->19 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Very long command line found 2->27 29 3 other signatures 2->29 8 xWLGUQa6af.exe 2->8         started        signatures3 process4 signatures5 31 Very long command line found 8->31 33 Binary is likely a compiled AutoIt script file 8->33 11 powershell.exe 9 8->11         started        process6 signatures7 35 Very long command line found 11->35 14 powershell.exe 15 16 11->14         started        17 conhost.exe 11->17         started        process8 dnsIp9 21 paste.ee 104.18.48.20, 443, 49752 CLOUDFLARENETUS United States 14->21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a/
Threat name:
Win32.Trojan.Povertel
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:50:07 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
28102f94dd691b7e8f350f294bb627cc5620188b9b8f3fb5fba6e822924105fe
62e9a9522a98f1a4ad322c5ef52fa3187a1204df9455d57766e4b221dc56fd35
b1cd81ef90363936ef04a6d5cabb539bbc4a89a25b6baf6777e1a3e373455f40
ca0ffb047bb011ae244daae2f9eb29e4e2db3d77817c5eea1636ce57b6c041cb
cda533fbcdc33bfc7242c90e8e0a72dd1448e78d4c40e7d9ae5bcd183f94ae7b
d99b374a5972bbdeb57de9c8a41cc6b8c3f8928916151a40257967baa855917b
def3f8797891579623385136838b1526096afc2bf01f9a08e27aa2073b6d7539
e1d51f402e88ba4bdb8ae2906a6158ef753c50a7eeae7d8bb5d832a8c7492027
ee21511b610cd2a154c85c04c0e3d88f82b0ee835afd51247a1a7e97900cd733
fd6545dad035b74dea3eb7a3d62a3270331db331479a8194e32333abbec20da6
+ 916 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx
Link:
https://tria.ge/reports/201218-hqqranf5qx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Blocklisted process makes network request
Malware Config
Dropper Extraction:
httPs://paste.ee/r/5DfGL
httPs://paste.ee/r/nCYHY
Unpacked files
SH256 hash:
2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a
MD5 hash:
1d9dcacc61aaacca64e3776e9bb06e94
SHA1 hash:
9bcce6d689a3c51d3be1dd3d18916d80bfb67dd4
Link:
https://www.unpac.me/results/15dfc652-2c8e-4cc7-8a5f-68f2a6453da9/
SH256 hash:
1762fd9c39192e513abcccd7bd556eeb5cdfa2889fb7983b2c15d9c0f7fa3fd6
MD5 hash:
9189edded1608c5702bffd193d2c79ee
SHA1 hash:
05294f3cc93e1e4df83d94437a041e1dafbb6077
Link:
https://www.unpac.me/results/15dfc652-2c8e-4cc7-8a5f-68f2a6453da9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Sysn
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2fb9d1f6c39bdd44d58fb6c896187dbb937a1c7350a137b24ff377cc29aa580a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/925030/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108313/

Comments