MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
SHA3-384 hash: a897a0deaabf33cd2767276d02a45052c013a00c60000289513d1d4ac76f802eae11cbd4aa80eb3fa5369e785f256e1a
SHA1 hash: 765a800eb9dd2d8acf541eb7eda886a1b5d5aa46
MD5 hash: 3957333ce88482d8bffdce4c0a0b8208
humanhash: romeo-vermont-indigo-coffee
File name:Συμβουλές πληρωμής για Po 45371_pdf.exe
Download: download sample
File size:1'203'200 bytes
First seen:2023-01-26 19:17:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:OGijvhWwIahgkuLIcS81HYjlK/jB5nVSqVWnJ6:d6I0gkIIISjqB5VJw
Threatray 6'018 similar samples on MalwareBazaar
TLSH T1C345E06D01B7DF8FD97980B9C035D29097F550A9A19AE7C2AEC5F0FA4CC270D4A8347A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 71e8e8cccce8e071 (8 x AgentTesla, 5 x SnakeKeylogger, 2 x Formbook)
Reporter 0xToxin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
IL IL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Συμβουλές πληρωμής για Po 45371_pdf.exe
Verdict:
No threats detected
Analysis date:
2023-01-26 19:18:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4be90dc3-d6e7-4f8a-a29b-a6bd0dafa58e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357202/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/63d2d1ee89bd67c10fda7ec1/reports/a9b332dd-d635-432f-8790-bde564d20088/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4259e3de-0c62-4161-a822-3e748c0e38da
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1159793
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792530 Sample: 5371_pdf.exe Startdate: 26/01/2023 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 6 fireplough.exe 3 2->6         started        9 5371_pdf.exe 3 2->9         started        12 fireplough.exe 2 2->12         started        process3 file4 45 Antivirus detection for dropped file 6->45 47 Multi AV Scanner detection for dropped file 6->47 49 May check the online IP address of the machine 6->49 51 Machine Learning detection for dropped file 6->51 14 fireplough.exe 26 6->14         started        27 C:\Users\user\AppData\...\5371_pdf.exe.log, ASCII 9->27 dropped 53 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 9->53 55 Writes or reads registry keys via WMI 9->55 18 5371_pdf.exe 2 28 9->18         started        21 fireplough.exe 1 12->21         started        23 fireplough.exe 12->23         started        signatures5 process6 dnsIp7 29 Smtp.athens.gr 14->29 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 31 mta1.athens.gr 193.186.200.6, 465, 49697, 49700 AS5403AT Greece 18->31 33 showip.net 162.55.60.2, 49696, 49699, 80 ACPCA United States 18->33 35 Smtp.athens.gr 18->35 25 C:\Users\user\AppData\...\fireplough.exe, PE32 18->25 dropped file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-01-26 18:12:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gu5bgo2cx3ui6c6hyl5uyw6kyqwr2y7fbggbys7yqftqy7p2fspa._file
Verdict:
malicious
Similar samples:
2bd7ca036ef7fb4920697240ba29b363b82f9ced8158d96397241460d932babe
6a8b8d64cdbdd6d21a4c56e47929c8dee133615149ef899342842fbbe910c2fa
7d35393acd36cfb26d3a449af639fa8aa1624c1b9b888248825707820acf4adf
a47b82f49888184f9b3ccdcd116b7e0fa1e313fb03c31825b38571cd360d732c
a4e65fda279dd5b0cf9a1f8c23ce34b9b202b854616d54dfbf03737743c1bcd4
b6ba9b1f0724dee6813ee67780cc5a130e5565d616b6acf53a7ef417ab580dfc
ed236ec0b877086ffbdd929f5beec3818c032744d9f088c45b3a348f5648d038
f6ad2dbda673f9af7b3d50ecd431d7858aa6b96a381a71cd0a5518e0c5ca6491
+ 6'008 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230126-xzxs7sfa37/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
4d72160a9815690b32ab7e5639018f3c1b4fd96ed9a5b7711bf1c8fd2308c62b
MD5 hash:
16d560e0f5d6d1c47cc5cf1262806493
SHA1 hash:
8456b3d2cfdb588f0ccbc886012c071b2317a546
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
cad832507cf7b2a8a604d6bfcb38385c689c92a831871c4bca3ea0c6d86f97f3
MD5 hash:
7c955a84bb827bf223ccea847a12779d
SHA1 hash:
dfe81b55af2be145dc0269fe5fbca3e03cf3e4ed
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
411569f9f0b865c651adc1234d23f86cd98fe5cd641704702276e9882be113b6
MD5 hash:
7648892096f37af50468509c5b051180
SHA1 hash:
a56a074c2770152761f6c4975db0e9f7d57f8cda
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
e481204ec993fd317cd61fa4ccbed9953177f8bb0a39eae0adece1b5b57d285c
MD5 hash:
ce92d021c309bc8c3ce1da45d11acf56
SHA1 hash:
86ffd72a5054960e588bbd5968069e7b313162ef
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
ff1b42ea7d56a37eae801adbddb7116f52a4664c0b41302736f522852edc2747
MD5 hash:
89ac57478044c57c7195943116a521e0
SHA1 hash:
1ff2bafeed795423e3538d810bda8e1e3fcdcfa5
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
SH256 hash:
353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
MD5 hash:
3957333ce88482d8bffdce4c0a0b8208
SHA1 hash:
765a800eb9dd2d8acf541eb7eda886a1b5d5aa46
Link:
https://www.unpac.me/results/fe92bcba-d8e7-4b56-a172-d3d7a416ef93/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/357202/

Comments