MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39810e77e5073a5ca086563f084c8ff0f6e58ae7a0ba1bb268a52669be840f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	39810e77e5073a5ca086563f084c8ff0f6e58ae7a0ba1bb268a52669be840f8f
SHA3-384 hash:	269016b514a13bbb78178fb439c39b80408e6aa7dd73a9571216d1c020d113592f22b06586c80728254f39fa09953a60
SHA1 hash:	a3ecf2f259d4aff3b346e92c1acc72e7bf6b6e3b
MD5 hash:	3e52d6d8a70bb8811001d7551d4c26ee
humanhash:	finch-lactose-sodium-east
File name:	SHIPPING INVOICE DOCUMENTS.exe
Download:	download sample
File size:	18'432 bytes
First seen:	2022-07-05 03:17:39 UTC
Last seen:	2022-07-05 13:20:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:vDJnwROR7okeeFb0kAEqXOX10ZWIASWZvGfiiay9ycyrsR2vZ3:vgOR7oHGR1mWrUycyrsR2vZ3
Threatray	688 similar samples on MalwareBazaar
TLSH	T14D824CD067E982A1C9FA0EBB5DB353911E36B602FC29DD1F24CDE30B9D12B564832761
TrID	72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.4% (.EXE) Win64 Executable (generic) (10523/12/4) 6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.4% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	GovCERT_CH
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

223

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetectNet.01.8643.936.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed wacatac

Link:

https://www.filescan.io/uploads/62c3ad6b783441cda106c716/reports/e90e3111-3693-45f8-97ac-abf5de433459/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/acf7d271-6b76-410f-a644-b5c2a466ee61

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1024533

Signature

.NET source code contains potential unpacker

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39810e77e5073a5ca086563f084c8ff0f6e58ae7a0ba1bb268a52669be840f8f/

Threat name:

ByteCode-MSIL.Downloader.PsDownload

Status:

Malicious

First seen:

2022-07-05 01:27:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hgaq457fa45fziegky7qqtep6d3olcxhuc5bxmtiuutgtpueb6hq._file

Verdict:

unknown

4de20c38ffff3f9d75d9a446f152c017d9010477c28c8b97875f95f448ecb761

716aea8d309db7a34a2c30d2f1119925deaf40305ac3ca056bd323634d608309

73e4f070272e4a09024944c9efd73070c6c8762f98db9f6ddecda7244a50ceca

744c3903223bec0dfab7e1ddc7faaeb4989bbe1399a4047f75883c18063b676f

85ba34242c6c231c5cad5de3996e443148da47505a9fd3a6f41af32fcfc22652

bfbb049cb01927e1a776fe64db774c782ef6d40f3323a45c19e03069ab24ed5c

c13f524ec129f1d14e10cf9de34fde8dfc121fb5d832272d7eceebd9a32b77c3

c6eb55e95d67cd97e33c9db999877616465567fbab73a4ab2face292bb6df2f0

e4fd9559b250b575f6e753fd30b56bd3e48e504682bbabd80bc175c46a7bf770

+ 678 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220705-dtln7sfdg3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

39810e77e5073a5ca086563f084c8ff0f6e58ae7a0ba1bb268a52669be840f8f

MD5 hash:

3e52d6d8a70bb8811001d7551d4c26ee

SHA1 hash:

a3ecf2f259d4aff3b346e92c1acc72e7bf6b6e3b

Link:

https://www.unpac.me/results/91c1d302-acbe-48b2-9492-f6c46d04ef07/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_SmartAssembly Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with SmartAssembly

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip a611b7495b0d436457a0134893a5720e6eed0a24156fc25b56e4fd90039da3cd

exe 39810e77e5073a5ca086563f084c8ff0f6e58ae7a0ba1bb268a52669be840f8f

(this sample)

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 a611b7495b0d436457a0134893a5720e6eed0a24156fc25b56e4fd90039da3cd

Dropped by

MD5 3950ea3c23aff35e8222fac075dfb7c2

Dropped by

SHA256 c2ad37cc8b0711bfe5a769a058303624e0d3b280d6186830e954234e4f74e1c4

Dropped by

MD5 ad67a173c2cc93625a83b43eb82a4bf9

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample