MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290
SHA3-384 hash: e9017627be05efb1f39df7495676375b6ca55b88a5b70de5fc1a0260ede39a02c93e136fb478edc2f0ac9876be8c1d12
SHA1 hash: fa56cc3551d8601bfebd2085b11449f4dbaf0dfa
MD5 hash: 6e1379b9922182e0348daaf605129342
humanhash: minnesota-mountain-cola-summer
File name:SHIPMENT DOCS 4X2000.exe
Download: download sample
File size:349'467 bytes
First seen:2023-06-27 08:46:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 61259b55b8912888e90f516ca08dc514 (1'059 x Formbook, 741 x AgentTesla, 431 x GuLoader)
ssdeep 6144:wYa6XHj31AURTv0HwSgtzmfV9E6VJkriVv9wyAX9shF8ewr0SY:wYtDPJ7OZP9pZhFmrXY
Threatray 2'964 similar samples on MalwareBazaar
TLSH T13B7412C86BB8C863EA910570497ECA254BB59C166A9187472380FD2EBDF16D34B1F337
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon fcd8d0d2dac0c0e4 (44 x Formbook, 1 x AgentTesla, 1 x XWorm)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHIPMENT DOCS 4X2000.exe
Verdict:
Malicious activity
Analysis date:
2023-06-27 08:49:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/59061871-9421-44c4-886e-4b9733880b7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/403178/
Detection(s):
Sanesecurity.Malware.28885.BadCo.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Unauthorized injection to a recently created process
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92842/overview
Behaviour
MalwareBazaar
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin masquerade overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/649aa20a0b141afbe5e128ec/reports/1b522fd1-5152-4e07-bfa7-301900f6b359/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35d16ce4-532c-4626-9623-64eba34b5302
Result
Threat name:
NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1261944
Signature
Antivirus detection for dropped file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 894974 Sample: SHIPMENT_DOCS_4X2000.exe Startdate: 27/06/2023 Architecture: WINDOWS Score: 88 121 Antivirus detection for dropped file 2->121 123 Multi AV Scanner detection for dropped file 2->123 125 Multi AV Scanner detection for submitted file 2->125 127 2 other signatures 2->127 14 SHIPMENT_DOCS_4X2000.exe 19 2->14         started        process3 file4 105 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 14->105 dropped 143 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->143 145 Maps a DLL or memory area into another process 14->145 18 SHIPMENT_DOCS_4X2000.exe 19 14->18         started        signatures5 process6 file7 77 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 18->77 dropped 129 Maps a DLL or memory area into another process 18->129 22 SHIPMENT_DOCS_4X2000.exe 18->22         started        26 SHIPMENT_DOCS_4X2000.exe 19 18->26         started        28 SHIPMENT_DOCS_4X2000.exe 19 18->28         started        signatures8 process9 file10 83 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 22->83 dropped 133 Maps a DLL or memory area into another process 22->133 30 SHIPMENT_DOCS_4X2000.exe 22->30         started        85 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 26->85 dropped 34 SHIPMENT_DOCS_4X2000.exe 19 26->34         started        87 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 28->87 dropped 36 SHIPMENT_DOCS_4X2000.exe 19 28->36         started        signatures11 process12 file13 107 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 30->107 dropped 147 Maps a DLL or memory area into another process 30->147 38 SHIPMENT_DOCS_4X2000.exe 30->38         started        109 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 34->109 dropped 42 SHIPMENT_DOCS_4X2000.exe 19 34->42         started        111 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 36->111 dropped 44 SHIPMENT_DOCS_4X2000.exe 19 36->44         started        signatures14 process15 file16 89 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 38->89 dropped 135 Maps a DLL or memory area into another process 38->135 46 SHIPMENT_DOCS_4X2000.exe 38->46         started        91 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 42->91 dropped 50 SHIPMENT_DOCS_4X2000.exe 42->50         started        93 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 44->93 dropped 52 SHIPMENT_DOCS_4X2000.exe 19 44->52         started        signatures17 process18 file19 113 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 46->113 dropped 149 Maps a DLL or memory area into another process 46->149 54 SHIPMENT_DOCS_4X2000.exe 46->54         started        115 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 50->115 dropped 58 SHIPMENT_DOCS_4X2000.exe 50->58         started        117 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 52->117 dropped signatures20 process21 file22 95 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 54->95 dropped 137 Maps a DLL or memory area into another process 54->137 60 SHIPMENT_DOCS_4X2000.exe 54->60         started        97 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 58->97 dropped 64 SHIPMENT_DOCS_4X2000.exe 58->64         started        signatures23 process24 file25 101 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 60->101 dropped 141 Maps a DLL or memory area into another process 60->141 66 SHIPMENT_DOCS_4X2000.exe 60->66         started        103 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 64->103 dropped 70 SHIPMENT_DOCS_4X2000.exe 64->70         started        signatures26 process27 dnsIp28 79 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 66->79 dropped 131 Maps a DLL or memory area into another process 66->131 119 192.168.2.1 unknown unknown 70->119 81 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 70->81 dropped 73 SHIPMENT_DOCS_4X2000.exe 70->73         started        file29 signatures30 process31 file32 99 C:\Users\user\AppData\...\vjihzepoqn.dll, PE32 73->99 dropped 139 Maps a DLL or memory area into another process 73->139 signatures33
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-26 23:31:46 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ivi2wxucjmm3vvgrqz4jsjcqqkneuf76tua42qhsbh73cr6gokia._file
Verdict:
unknown
Similar samples:
0ba7be65751c2b047ae60485b59ec33e24a40b887f6a6d3bfc796b61da429a46
475ce37e500652d8a0fab2cb145581a7e41616490e80a757670a9a1af0ed7a2d
6031a34aae88c5aa68c4c13fccf872edcc28a8e6a3873186f7cc67989a701a5b
62e14feb0e0a4b6b36e258f63af59d4b68809fe0761b6c58c7ecdea90f4f2c1d
6631aace38dd7550a1a18350a43606bc2eb26380cc99fd6acafdf75f226498bb
8fa1034a57a9b35e6a622147d01a85767a42e1d4f16c2e4113433888eabeee24
bd27f580c5a07f8ead5a2ead3ffa65e35e570e0d5e4e9acdc2292fdee9311cd1
cf83ace62365a36e6c15fd730deb1521e09b28f65413ddd31960b4139ef1b11f
d612f5bbe5a52c3bfa7bae355fea53d60f252f0bad240bf12af3d31666b5fcf1
f9454d0787965826c1f6e031eb78495f153453fca4efea4ed993dceb61f2e3d8
+ 2'954 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230627-kpv6eade69/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
1b7b2455777a46db0e2ad3857013fab6f9dccea79b829495aedb72927df28fa1
MD5 hash:
20862d0a531df7ed2aead32422396271
SHA1 hash:
76c87bf3ba4a7a55e1aad1b73393455c2c21e1eb
Link:
https://www.unpac.me/results/cde1b745-cd1f-4f3b-b81f-27beb3c53305/
SH256 hash:
4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290
MD5 hash:
6e1379b9922182e0348daaf605129342
SHA1 hash:
fa56cc3551d8601bfebd2085b11449f4dbaf0dfa
Link:
https://www.unpac.me/results/cde1b745-cd1f-4f3b-b81f-27beb3c53305/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4551ab5e824b19bad4d18678992450829a4a17fe9d01cd40f209ffb147c67290

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/403178/

Comments