MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d
SHA3-384 hash: 0f70faa0b80383c37518fe9495c9deffa43ef89756a299e3fff32ded4afcddae80786f95b2d30d0a701830c8bcd33ae9
SHA1 hash: 6c3f65888b6821b92603bf2f3aeb3b7b10b05109
MD5 hash: 0a02a61ad48899b80bc9acb733faed59
humanhash: coffee-ceiling-finch-pizza
File name:Download_quotation_PR #371073.exe
Download: download sample
File size:33'080 bytes
First seen:2021-02-22 07:21:57 UTC
Last seen:2021-02-22 08:41:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:XgeHHvx9bZATFiTUYcpMdgsRLO4oCyChA:XgyxUTTYcCdgsZOTCyV
Threatray 69 similar samples on MalwareBazaar
TLSH 05E23A44F6A76A23EC3E383924B12E0D937797E2B867D5225F0D51F5534F28A0D2F60A
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.portymder.xyz
Sending IP: 159.89.105.85
From: GAN Phei Yun <phei-yun.gan@arkemas.com>
Subject: URGENT QUOTATION.22.02.2021
Attachment: Download_quotation_PR 371073.iso (contains "Download_quotation_PR #371073.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118227/
Detection(s):
SecuriteInfo.com.MSIL.TrojanDownloader.Agent.HKY.28797.14157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/613722
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355869 Sample: Download_quotation_PR #371073.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for submitted file 2->71 73 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 2->73 75 Initial sample is a PE file and has a suspicious name 2->75 77 7 other signatures 2->77 8 Download_quotation_PR #371073.exe 23 9 2->8         started        13 explorer.exe 2->13         started        15 svchost.exe 2->15         started        17 13 other processes 2->17 process3 dnsIp4 61 coroloboxorozor.com 172.67.172.17, 49715, 49737, 80 CLOUDFLARENETUS United States 8->61 53 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->53 dropped 55 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 8->55 dropped 57 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->57 dropped 83 Creates an autostart registry key pointing to binary in C:\Windows 8->83 85 Adds a directory exclusion to Windows Defender 8->85 87 Hides threads from debuggers 8->87 89 Injects a PE file into a foreign processes 8->89 19 cmd.exe 8->19         started        21 powershell.exe 9 8->21         started        23 AdvancedRun.exe 1 8->23         started        33 4 other processes 8->33 91 Drops executables to the windows directory (C:\Windows) and starts them 13->91 25 svchost.exe 13->25         started        93 Changes security center settings (notifications, updates, antivirus, firewall) 15->93 29 MpCmdRun.exe 15->29         started        63 127.0.0.1 unknown unknown 17->63 31 WerFault.exe 17->31         started        file5 signatures6 process7 dnsIp8 35 conhost.exe 19->35         started        37 timeout.exe 19->37         started        39 conhost.exe 21->39         started        41 AdvancedRun.exe 23->41         started        65 104.21.71.230, 49744, 80 CLOUDFLARENETUS United States 25->65 67 coroloboxorozor.com 25->67 95 System process connects to network (likely due to code injection or exploit) 25->95 43 conhost.exe 29->43         started        69 192.236.147.189, 80 HOSTWINDSUS United States 33->69 45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        signatures9 process10 process11 49 svchost.exe 35->49         started        dnsIp12 59 coroloboxorozor.com 49->59 79 System process connects to network (likely due to code injection or exploit) 49->79 81 Tries to delay execution (extensive OutputDebugStringW loop) 49->81 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-22 07:22:22 UTC
AV detection:
11 of 48 (22.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlncpr6i4obi5kfljnxexa3sxb44sdvjkmdkfjn2gb2yz4exhgoq._file
Verdict:
malicious
Similar samples:
07971958696b43eead2da2114b7a3965b492cdae39843078f16d56ad331427fe
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
19ea2b24f4d65b8169f982300901dba2253a880e3bd3f07dfcf933c0fe67a139
2ddbf5aed765723b948699526bc2a9a49864dc1181e21f4c51fe613aa8d0ca7e
3afef4ab289c49f347ed065f4d272cec7ea413b5c84fb4c2e6aa9adad2716db6
638c7d6859e792cc15836509bd58bf468b755fee3dcf669d2dcf328dd0029f12
a0ebcb3078763eb8acca534831ef9ca1a213347328698aa3cda7c5bd23cd81d8
a0f4dd8f54f51cb4d1243ecf21b2e5d578464ec54ba9b8e98b1afdb17465b4bc
db3691bd029c0e2db482666cdae1be9dbd30e488eeffc6fbffb1b52976705c99
ea34ce44176906af3dd7ec1e4d9db0df144f5769ce3298d88864698c54164c9b
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210222-dardpa97gs/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Windows security modification
Executes dropped EXE
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d
MD5 hash:
0a02a61ad48899b80bc9acb733faed59
SHA1 hash:
6c3f65888b6821b92603bf2f3aeb3b7b10b05109
Link:
https://www.unpac.me/results/f6fd490f-f68a-4081-b79a-99e9f0ed7e98/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 1cd34fbbc014b2451f2faf83a73758caea0a2620f5ed88c91ffaa81f0d6c1e1a

Executable exe 3ada27c7c8e3828ea8ab4b6e4b8372b879c90ea95306a2a5ba30758cf097399d

(this sample)

  
Dropped by
MD5 6138d729b95ad04adc567faa99de3872
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118227/
  
Dropped by
SHA256 1cd34fbbc014b2451f2faf83a73758caea0a2620f5ed88c91ffaa81f0d6c1e1a

Comments