MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2
SHA3-384 hash: a3f4feec3eb59ab934b8d8aa840117b5d231ffad80be7438e65770d3284742aeae2c58277d92635f0d5266f6ae56679d
SHA1 hash: 2944c0f2976ef6a3bb3087ee84ce2aa5005dab4d
MD5 hash: b23329f6fd35fa14775924ad3ba1c298
humanhash: apart-harry-delaware-arizona
File name:DHL AWB-20211115004.pdf.exe
Download: download sample
File size:1'506'304 bytes
First seen:2021-11-15 19:25:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:YyEkyRkC/X4Oxy4ehGLYV2QX+HFV4STXfh3/1Pbsxm2yT0wg/PT0Z1DuA5n4Qj2s:XERP/oN4ehX0k+3jXfhN4426dg0nhsd6
Threatray 128 similar samples on MalwareBazaar
TLSH T10165223032D95215DD7683B41D3A81C013BA79AB3F14CA9D5C89228DDEB376B8B217B7
Reporter malwarelabnet
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Renamer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/206002/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6192b44ddec3347825a56366/reports/af239f9d-bf27-472b-883c-5eb6e03dc93c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hoetou
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a4e1575a-f16e-4de8-917b-ebcaa4be6709
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/889959
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522440 Sample: DHL AWB-20211115004.pdf.exe Startdate: 16/11/2021 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Yara detected AntiVM3 2->77 79 5 other signatures 2->79 12 DHL AWB-20211115004.pdf.exe 3 2->12         started        17 Paint.exe 2->17         started        process3 dnsIp4 71 192.168.2.1 unknown unknown 12->71 69 C:\Users\...\DHL AWB-20211115004.pdf.exe.log, ASCII 12->69 dropped 95 Injects a PE file into a foreign processes 12->95 19 DHL AWB-20211115004.pdf.exe 2 12->19         started        22 DHL AWB-20211115004.pdf.exe 12->22         started        24 DHL AWB-20211115004.pdf.exe 12->24         started        28 2 other processes 12->28 26 Paint.exe 17->26         started        file5 signatures6 process7 signatures8 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->83 30 DHL AWB-20211115004.pdf.exe 2 19->30         started        33 Paint.exe 26->33         started        process9 signatures10 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->97 35 DHL AWB-20211115004.pdf.exe 2 30->35         started        process11 signatures12 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->85 87 Injects a PE file into a foreign processes 35->87 38 DHL AWB-20211115004.pdf.exe 5 35->38         started        process13 file14 61 C:\Users\user\AppData\...\LookupSvi.exe, PE32 38->61 dropped 63 C:\Users\user\AppData\Roaming\...\secdrv.exe, PE32 38->63 dropped 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->89 42 DHL AWB-20211115004.pdf.exe 3 38->42         started        signatures15 process16 file17 65 C:\Users\user\AppData\...\AeLookupSvi.exe, PE32 42->65 dropped 67 C:\Users\user\AppData\Roaming\...\ProfSvc.exe, PE32 42->67 dropped 91 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->91 93 Injects a PE file into a foreign processes 42->93 46 DHL AWB-20211115004.pdf.exe 42->46         started        signatures18 process19 signatures20 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->99 49 DHL AWB-20211115004.pdf.exe 46->49         started        process21 file22 53 C:\Windows\SysWOW64\7za.exe, PE32 49->53 dropped 55 C:\Users\user\AppData\Roaming\Paint.exe, PE32 49->55 dropped 57 C:\Program Files\...\msoia.exe, PE32 49->57 dropped 59 34 other files (16 malicious) 49->59 dropped 81 Infects executable files (exe, dll, sys, html) 49->81 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-15 19:26:05 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2vsq4vfsea7jtwnnbfvk4ub3qteiroa4vremf4ih4yewmo25xba._file
Verdict:
malicious
Similar samples:
13b46d9524b436eb825c317fde69b0710f295ab95ead1e9d5c4babe39d9287f8
21c9724029e1b659d1b038844e6c76054d65bbd93fbd416bfe31a5449e835845
45bd7ca68c999b2a4285a3fb80344ec1e8cb25d9b9152f756219c2543f81b10e
673a4571b3bec07ef953c5aaf3b940b4ca622c8919608c8235f9347e6dd512e5
6d239a892a804362a597c30869e82a11f79c66f4fcfd368673027f84aeae3a95
9131f78f68a82c062393fb196cbedf6965f3179f8cead139c27c4325a4418ad2
9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989
b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3
dbccb179b38bd0493f594f5a4bda348c397a70421d2d164144a6911863a478a1
e13cb852ef9d4d654e8614824087ac7298adcb602d6fbc4937ef2ef51642bfb2
+ 118 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211115-x5hw8sbce4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8
MD5 hash:
cf7e259dd0225ae86a29f5952bcb5b4d
SHA1 hash:
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
1a9959ea7deea1e64492c1e5b541c3e9c4075709d98602a2898eb93df5a5f503
MD5 hash:
eda3785ae32c0aaae694260344b0a195
SHA1 hash:
5433ff01fe2ef26798201c770fdea121bee5b61d
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
63197863736ddd15e5b2426f8a2de333cced79865659858d8eff60146347f7b5
MD5 hash:
d7cb3da1c5db1e38309cdef6f1f28ce6
SHA1 hash:
b3d6e797f6adb58c07f336f6ceea5cd7a030fb6b
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
bd4c4912209802bb457983177d94b220d20dc9775ff973f90bd1c6afd729bc9c
MD5 hash:
8cde05c2cc918a68b075bdb2854c9994
SHA1 hash:
bc3c4e2826370171102ee8b7bd317493cd72c15f
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
5b63c449b042ff63e67c53c73a06ce1ac887ccb817f271b3c3081be89584748f
MD5 hash:
d742bbf2699c7dbc81039b7f17b79271
SHA1 hash:
f1ba0cd1ca31a1f2259dbf154b12ff839ffbf3e8
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae
MD5 hash:
4f328caa4aec70994c3f2250ae8702a7
SHA1 hash:
0f8c1b9315a9988adee3320ba77fde0e88e8774f
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
c57394dcdf14ee5770166280e6c8535e990af404c7649cab7ba6156afe4d7983
MD5 hash:
5693725de20432aff515cacbf202b6c3
SHA1 hash:
e337f47898eeac202b08d859bd8292e4b88747c7
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
9fd9ae97b476042abcaae49dee6cb8463b5ccac3a2cdd7df2feb5bbf0d58ca6b
MD5 hash:
7a8fb2af99495ba9b0c3dbdf1cd350c9
SHA1 hash:
330327cf75d808cacf8375c6220b9ad83372f626
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
ebdaf8b3455373f1e214b7e1bc3866e598270123fc05110e6af36f13aad7d53d
MD5 hash:
6c592156ecec344755c200d9bc860454
SHA1 hash:
8287502a10d374ac25e8712b954a24dca0cdd007
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
2f7a005b9b83aec6dd19e6b53530745d9fdff0590ffca0a8ed8047dc11b3c335
MD5 hash:
927c0ce36865c9f2704cbe8c81c23e83
SHA1 hash:
cf7a9098ec615cdf62f7ccf127b1c71ed4e97550
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
bf8e7e7376483abee4047d5faffb00c34b0faa6551531c112dc422716eeadd32
MD5 hash:
ce490da769ea596e0ded5e50e2bccf99
SHA1 hash:
4382ebc9e5a7986df2a3bdb7c352d3d55703a4fa
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
a5c50b98d18fc2687a9dee335742a1d0738c3aa21d212af563571336b8e13620
MD5 hash:
2684c88620aba00cbdc13a4aad9dd53c
SHA1 hash:
d3282d6bc451b7522c3056aaa494245ff670636b
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
645b339f8e74b96c421aa876d3d7a56419051024e9ac29c378679b387e6204a8
MD5 hash:
44142d1a1edc973dd0142a910a120380
SHA1 hash:
dc6cd08cb56b4b500d718418f5ba2d68c10890a2
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
SH256 hash:
36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2
MD5 hash:
b23329f6fd35fa14775924ad3ba1c298
SHA1 hash:
2944c0f2976ef6a3bb3087ee84ce2aa5005dab4d
Link:
https://www.unpac.me/results/3d270751-aeda-4160-84de-e5c050bbd657/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/36ab2872a591/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206002/

Comments