MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9
SHA3-384 hash: 4a446d17e3939bca353cbf097d7803ff9743ba34388ff7efabc4c381905e09d240b03b655482264934d8369d2d6bbd71
SHA1 hash: d5a6b7229e68b730ef5800150d93b31f15bd634d
MD5 hash: 8c5e74cc1b2e3add30fbc32df07f9735
humanhash: sixteen-hydrogen-sixteen-oscar
File name:DHL Tracking.exe
Download: download sample
File size:434'176 bytes
First seen:2020-12-28 17:39:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b14f4a4790b2f60cb9f4b71496d7f78c
ssdeep 12288:Qu2NwMwwhp2T46A9jmP/uhu/yMS08CkntxYRQ:Q/fmP/UDMS08Ckn3l
Threatray 4'679 similar samples on MalwareBazaar
TLSH 5194E026B7A20E43DADA59B15E9385F073B3BD8B0B53020B7A4572BE6862F111C55B0F
Reporter abuse_ch
Tags:DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.ninja-host.com
Sending IP: 5.189.132.239
From: DHL Customer Service<info@iccl-eg.com>
Reply-To: <fedny2016@gmail.com>
Subject: Re: DHL Invoice attached !!!
Attachment: DHL Tracking.zip (contains "DHL Tracking.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
169
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Tracking.exe
Verdict:
Malicious activity
Analysis date:
2020-12-28 17:40:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/83ffe2f3-e9d5-431f-bbcc-e136d710c524

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/109593/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Threat name:
Kutaki
Create hunting rule
Detection:
malicious
Classification:
rans.spyw
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/570907
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Potential malicious icon found
Yara detected Kutaki Keylogger
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 17:40:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ipfimbnpc7yixvxj3qyku6vr2idnkaiwabaolkfaqx2g2lqb6leq._file
Verdict:
unknown
Similar samples:
13ecafca02eeec89fad5ee7ba883009904ec6bf4e4a1685c60536d3be93ccb48
206afb4d34398274d77c9e75979b864ea700413248b072dd721bdc67268e12c8
22e3747333221fee32f806a92fa53245bbf072b8794177781b8c9d1e1ae1d63a
273dbbe13038af4711afea42cdd3b676b7f52598d0e8c12307557e9d6eb46c96
4a1ebe8938ac9ac6ae7b502c4561bf514bc47ccdb87abae9777a5ac526d6540c
5cf0ceac00dc57a968f6323a25a41f71cd0202909b0db49387032e177321973f
7a683de7c9bf17f6f06a9c8b5b718f9a17624a9022b7dea662816142c2c245bd
7b60c03d5c2d88a8b7554ea4aba5e33061cae9b59af4d852f343625c02ef96e2
9854450087a87df2edad5dfd0bbd7db5bc12f569513f59178ba1e8a3afdbe1dd
cc0614f4e21c1d63a80e1ddecfd591353e15aa849f754be9d8b709cc6e9841c9
+ 4'669 additional samples on MalwareBazaar
Result
Malware family:
kutaki
Create hunting rule
Score:
  10/10
Tags:
family:kutaki keylogger stealer
Link:
https://tria.ge/reports/201228-97avf6l2kn/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Kutaki
Kutaki Executable
Unpacked files
SH256 hash:
43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9
MD5 hash:
8c5e74cc1b2e3add30fbc32df07f9735
SHA1 hash:
d5a6b7229e68b730ef5800150d93b31f15bd634d
Link:
https://www.unpac.me/results/5abd6b73-f094-4f95-b571-540c8bda6699/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c3500dd35a63507c98f28f8cb93920fb632e8b46b903662e941001666fa27dcf

Executable exe 43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9

(this sample)

  
Dropped by
MD5 bfd9cf7043b7490b13a60d4c10612677
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c3500dd35a63507c98f28f8cb93920fb632e8b46b903662e941001666fa27dcf
Cape
Cape
https://www.capesandbox.com/analysis/109593/

Comments