MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc
SHA3-384 hash: 8e0f0e1fd8cf332e9a2f89b8610c6adae96fa02e6ec220060addc76c5ee530b91cbaf7c893401d6ba581c859a63ce3eb
SHA1 hash: d68c9fb8e0a1dcfafed41926b61086c80ad82029
MD5 hash: 50aee2af0ce78ea1907f631724fb0376
humanhash: monkey-lima-jersey-yellow
File name:OC_00059837.exe
Download: download sample
File size:1'155'072 bytes
First seen:2021-03-10 08:43:54 UTC
Last seen:2021-03-10 10:46:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:f68q0PmIAoIhDyA/zDjW05/Uqz+WdtpnbN7pJaS:ftYHhDbz/PjtLpJ
Threatray 1'019 similar samples on MalwareBazaar
TLSH 6F35CF02FE8B9485D073CA78CA324B6B9218BD5704649D2D382EBD2DB077AD1E95DFC1
Reporter abuse_ch
Tags:exe HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway32.websitewelcome.com
Sending IP: 192.185.145.122
From: Miguel Fernandez <contabilidad@corporacionup.com>
Subject: ORDEN DE COMPRA
Attachment: OC_00059837.cab (contains "OC_00059837.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OC_00059837.exe
Verdict:
Malicious activity
Analysis date:
2021-03-10 08:47:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e29e9848-01a3-4db4-ac90-f62990b10100

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/123517/
Detection(s):
SecuriteInfo.com.Variant.Bulz.387573.28508.1884.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/634040
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 365992 Sample: OC_00059837.exe Startdate: 10/03/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 8 other signatures 2->48 8 OC_00059837.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\PwQUeVi.exe, PE32 8->26 dropped 28 C:\Users\user\...\PwQUeVi.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\...\tmp8393.tmp, XML 8->30 dropped 32 C:\Users\user\AppData\...\OC_00059837.exe.log, ASCII 8->32 dropped 50 Detected unpacking (changes PE section rights) 8->50 52 Injects a PE file into a foreign processes 8->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->54 12 OC_00059837.exe 16 8->12         started        16 schtasks.exe 1 8->16         started        18 OC_00059837.exe 8->18         started        signatures5 process6 dnsIp7 38 www.diagtest.com.pe 12->38 40 diagtest.com.pe 161.132.18.162, 49724, 80 RedCientificaPeruanaPE Peru 12->40 34 C:\Users\user\AppData\Local\Temp\A.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\Local\...\A[1], PE32 12->36 dropped 20 cmd.exe 2 12->20         started        22 conhost.exe 16->22         started        file8 process9 process10 24 conhost.exe 20->24         started       
Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-03-09 20:47:53 UTC
AV detection:
8 of 47 (17.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g6fehncxnn6zu67uequv7a6o5ea23a2hgujili64a4enpaysutga._file
Verdict:
malicious
Similar samples:
09bdb0fb2e5689963f8375783abf0d87d2dbccc6a7ed8b03d7a53af29ab2c4d6
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
2f53c96770351e95583b6c3d3bde7c4d44f0fc9e324517fd084a61000ed63dde
3aedf2b9413bb9eb0af9daf292e5461a910e182ab9b30debb814f769323a85ff
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
95654631036f198ae09278641c978609781eee27cdff60dcfe05ba72b367eee7
accfb8da98afdd5a90448bcdead0ce0913e7c1c505a0e4a4fe661fb4dae3da6f
afa655613277fa5927ea6e777245abc8812101008ff0d542efd12b9ec4d9e17c
c148d7544c90541afc565d03219b8c579ac18a52b1baa3e70eb22bf12cc9a96e
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
+ 1'009 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210310-k26cm82b32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
f9d949d2f56c449c5d346bb93ed04d38426f563b022dd179ae330dab46682c3b
MD5 hash:
871e23d748ba756eaab5777708f250f8
SHA1 hash:
c9816d4ab38541aaab9aa3eab7cb4898d0b72e4a
Link:
https://www.unpac.me/results/597e29ff-9b68-41e2-8c2c-49621cefe8cf/
SH256 hash:
378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc
MD5 hash:
50aee2af0ce78ea1907f631724fb0376
SHA1 hash:
d68c9fb8e0a1dcfafed41926b61086c80ad82029
Link:
https://www.unpac.me/results/597e29ff-9b68-41e2-8c2c-49621cefe8cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

cab 2eb435f1d3884e0fce4447ac94965ffff4be5f6744cb35653330f5c980106f0e

Executable exe 378a43b4576b7d9a7bf424295f83cee901ad8347351285a3dc0708d78312a4cc

(this sample)

  
Dropped by
MD5 b6cf517388dab79e9d5127a1f866c4b5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/123517/
  
Dropped by
SHA256 2eb435f1d3884e0fce4447ac94965ffff4be5f6744cb35653330f5c980106f0e

Comments