MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190
SHA3-384 hash: 1a4d0e9d83c4e1923330e68976ac1d7a8a8218804a740e8beec96076fbad6ddba7fe0bc70e5da2150bdd03fe4829a1ff
SHA1 hash: 4892923eef49f6c0b81e3230c5f6889008b74742
MD5 hash: 3e96a75563f2faf45729b8302fe78680
humanhash: purple-yankee-winner-foxtrot
File name:Proof of payment.exe
Download: download sample
File size:406'979 bytes
First seen:2022-08-12 05:38:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 6144:vTouKrWBEu3/Z2lpGDHU3ykJgTdLM/EecQw2e8u+3:vToPWBv/cpGrU3yfTVoED2Tv3
Threatray 1'434 similar samples on MalwareBazaar
TLSH T10E84C002BDC248B2D8A21D321BB56721A97DB9201F76C9DF73804A2DDA615C3DB317F6
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 72ceaeaeb2968eaa (57 x AgentTesla, 9 x Formbook, 7 x RemcosRAT)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proof of payment.exe
Verdict:
No threats detected
Analysis date:
2022-08-12 05:40:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c8a244bf-9ed0-4663-8f08-5b630da97c7e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298137/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28752/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62f5e779810e2831b73c4e0f/reports/2023749a-e86c-49de-ae9c-de47d036d9b7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/a4085b25-b456-46f8-bac2-bc669713de0f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/1050353
Signature
Executable has a suspicious name (potential lure to open the executable)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-08-12 05:39:08 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
22 of 40 (55.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=h775cn5ol66n7xjlgeiclfds5amxfl2q6aoavbf4w6bonn3hmgia._file
Verdict:
malicious
Similar samples:
41417677b9fb6ec8e48a5c633da51083ea8887d34eedc7cd2b8a231e1d70e5d6
53425a77a0ba7663da782af01d94a2c3554af157e33741d70de0089fa8c6cc29
ac494de6b2d4a502b6288e1ad054266c6003688e2526bb509ebb8ca2a9ca54f2
d615e5ee56ba34e06f8ca0c30e207578b4762da50d422fb3b07b56eb4e7807ea
da362dff8b39c6b4b92387f48f5beb91ce55dbdf8bfe6a6ec7b5e6f1aa269010
e10a201d8b7cb09109715199c099ef24618f50fe09d3c1c6e7abbab79a59d94b
+ 1'424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220812-gcar6abgb7/
Unpacked files
SH256 hash:
3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190
MD5 hash:
3e96a75563f2faf45729b8302fe78680
SHA1 hash:
4892923eef49f6c0b81e3230c5f6889008b74742
Link:
https://www.unpac.me/results/59081d8d-43c5-4ee1-ba93-e84c3cac69a7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:sfx_pdb
Create hunting rule
Author:@razvialex
Description:Detect interesting files containing sfx with pdb paths.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 3fffd137ae5fbcdfdd2b3110259472e81972af50f01c0a84bcb782e6b7676190

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/298137/

Comments