MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7
SHA3-384 hash: 08b110ada451dbfabd69213f80fadbf930b91b97650ca0a920178fca957e06bf96c2b5dfd1e2b3ce6143a06a6c498356
SHA1 hash: bd80a9ba1ed47f95ca126d5b922cfd04b3790e19
MD5 hash: ca03d77ef6592054e7e663d514a57aac
humanhash: winter-sierra-fanta-cup
File name:DTI-60378xls.scr
Download: download sample
File size:465'920 bytes
First seen:2020-12-08 07:52:54 UTC
Last seen:2020-12-08 09:30:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:l0wODQtk7gaPqbLXb2wVKPQ6IIuJ/Ie762mDsOv8GJLNKhxviJNQ/1dB0yc4KQaB:pjeTPBId/Ie7qwYhKMKtwy95aVV9P
Threatray 8 similar samples on MalwareBazaar
TLSH 03A4BE31332A5AAAE6ED3E75810712344EE49C27F722E148EE463CF5B5B32D6C9509F1
Reporter abuse_ch
Tags:scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: sara.com
Sending IP: 45.127.62.55
From: Logistics Asia Team <lueilwitz@johnwilliams.gq>
Reply-To: aceacryli@gmail.com
Subject: FW:RE:Urgent shipment 08/12/2020
Attachment: DTI-60378xls.iso (contains "DTI-60378xls.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107191/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.12964.26499.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Snake Keylogger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/557693
Signature
May check the online IP address of the machine
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 07:53:14 UTC
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhtclab4wbfewezsb3l3lw7yvoxhgsstuxhwrbfofhou4snugd3q._file
Verdict:
unknown
Similar samples:
20caa9bbab7ef41b3766a4fc9c1690b84b9425a1105eb563673a5000f02936b3
3680b8c8760e1b0546d796885b5161d55aa786f27bb010539ddff0ae858123c6
82ffc9d5e821acbff5872134b8851ba0a494e88e87df97b17b3f28c81b8f3b83
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
ca6c0702ac45a81d1971f4411e553a85a5372c21d38638e5af8322f5605120f3
cc8de0f68549d84a62dcd11df6625b2bfe08a6cfaea102f4710e28969a60f689
d2bf967449913fb1af71ef3b38581eeb0ac7519e3a480657a78336dcfc615bf4
f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201208-p82f3n2q5e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7
MD5 hash:
ca03d77ef6592054e7e663d514a57aac
SHA1 hash:
bd80a9ba1ed47f95ca126d5b922cfd04b3790e19
Link:
https://www.unpac.me/results/f9cdb4af-1480-4d1f-8857-a07f30bde046/
SH256 hash:
fbb4b481abf097b1ed40a5b6a231d059c4ffb8ab4b32d644fb2751a68e1f20a8
MD5 hash:
23222c9deaebfa57cda4ea49460a9fcb
SHA1 hash:
26f8e82df2a851091dfaccd52f892732abcf906d
Link:
https://www.unpac.me/results/f9cdb4af-1480-4d1f-8857-a07f30bde046/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/f9cdb4af-1480-4d1f-8857-a07f30bde046/
SH256 hash:
49913a0700fc41d28d17dfd1748c99f800eb53d727ebc63987604b20c3907208
MD5 hash:
5c60e6b3589574cf43565ef532d56650
SHA1 hash:
8d935f97d0f3eebb927dfec9e6e7976348e71558
Link:
https://www.unpac.me/results/f9cdb4af-1480-4d1f-8857-a07f30bde046/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso b77e43d489b3924f1ce6964a87e14c59eae4cf17c57d7f41887ff21da133493c

Executable exe 39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7

(this sample)

  
Dropped by
MD5 6980acb449789486ef15c6b1d1a6bcbb
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b77e43d489b3924f1ce6964a87e14c59eae4cf17c57d7f41887ff21da133493c
Cape
Cape
https://www.capesandbox.com/analysis/107191/

Comments