MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
SHA3-384 hash: e733a9a04d1479d8d1dcb30a08e19d3539410961a7ccdd79ab3c881efa8462a7f97cba246234d9ed7759ef0eea4a824d
SHA1 hash: 91d9cad4b43cd7a2c1f1bf4567e3841c242b0c4d
MD5 hash: 5eca2262d6a1d316873de2ca01b02bbc
humanhash: twenty-bravo-music-seven
File name:Specification 01012_pdf.exe
Download: download sample
File size:1'108'992 bytes
First seen:2021-04-07 05:51:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Jju6x64SuvmwhwfENHF5/zHTTEgFNTPtYkfrnOuW/gIeK09eIkbP3t84NugS7ICW:JLxgu+awfyn7NF9hpIeKBIS9FZCfLcd
Threatray 4'416 similar samples on MalwareBazaar
TLSH D0356AC09E4A78CDD4AA36F0341180FC83AB6D2226CDA3D697B3F9D65733562CD5069E
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: 163.com
Sending IP: 185.222.58.104
From: Allen.nilvik@163.com
Reply-To: nilvik <anqimes@gmail.com>
Subject: Urgent Inquiry from Nilvik International
Attachment: Specification 01012_pdf.7z (contains "Specification 01012_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Specification 01012_pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-07 05:57:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2942ec5-f450-48e8-aa72-b1d932efd42c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132736/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.634.21446.6957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668234
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383048 Sample: Specification 01012_pdf.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 48 api.anonfile.com 2->48 50 anonfiles.com 2->50 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected StormKitty Stealer 2->64 66 9 other signatures 2->66 9 Specification 01012_pdf.exe 4 2->9         started        13 Specification 01012_pdf.exe 2->13         started        15 Specification 01012_pdf.exe 2->15         started        signatures3 process4 file5 46 C:\Users\...\Specification 01012_pdf.exe.log, ASCII 9->46 dropped 68 Adds a directory exclusion to Windows Defender 9->68 70 Injects a PE file into a foreign processes 9->70 17 Specification 01012_pdf.exe 2 15 9->17         started        20 powershell.exe 25 9->20         started        22 powershell.exe 13->22         started        24 Specification 01012_pdf.exe 13->24         started        signatures6 process7 signatures8 56 Tries to steal Crypto Currency Wallets 17->56 58 Installs a global keyboard hook 17->58 26 AppLaunch.exe 17->26         started        29 AppLaunch.exe 5 17->29         started        31 AppLaunch.exe 17->31         started        37 4 other processes 17->37 33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        process9 dnsIp10 72 Tries to steal Instant Messenger accounts or passwords 26->72 74 Tries to steal Mail credentials (via file access) 26->74 76 Tries to harvest and steal browser information (history, passwords, etc) 26->76 40 WerFault.exe 29->40         started        52 api.anonfile.com 45.148.16.42, 443, 49742, 49746 OBE-EUROPEObenetworkEuropeSE Sweden 37->52 54 anonfiles.com 172.67.181.195, 443, 49743, 49747 CLOUDFLARENETUS United States 37->54 42 WerFault.exe 37->42         started        44 WerFault.exe 37->44         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 00:24:05 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jki5m76gbkdnwp6ks5pyrjjsham5slkueg7cpf2r6koiz5vd6tia._file
Verdict:
unknown
Similar samples:
01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
51c5377d6679a6a6e2cb1e9aee769cb64c40dc17c557eff90f8b7382c27196fa
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
ca4a895f81aec93ce01e2290fb643471f26fc4a190f5f65fbc1ae9647e00ad75
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292
f73bd79fa45052bdee47d286e58107be584dd64d6cafb38362d494d9b388356f
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
+ 4'406 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210407-48vvkw8t36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/eaad4676-eba4-4ab4-89bd-bedb72f64c94/
SH256 hash:
4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
MD5 hash:
5eca2262d6a1d316873de2ca01b02bbc
SHA1 hash:
91d9cad4b43cd7a2c1f1bf4567e3841c242b0c4d
Link:
https://www.unpac.me/results/eaad4676-eba4-4ab4-89bd-bedb72f64c94/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z 83a946ca558da288b427ca8efcf9a557632641fb0b8c3e278d014646ea7aac1e

Executable exe 4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0

(this sample)

  
Dropped by
MD5 2479d696a8cc14b898ab0b02bbfde8e4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132736/
  
Dropped by
SHA256 83a946ca558da288b427ca8efcf9a557632641fb0b8c3e278d014646ea7aac1e

Comments