MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
SHA3-384 hash: c995a99f8f31635554f601ff8e14378b33f9376a617ca120b74a1558e1f752de62f35d0c986e22f2a7caff893e05171b
SHA1 hash: 8097836e773a67d3be0fcadd923ea81fd2a2a8fa
MD5 hash: bf8b16340d010313b130398ac204a73c
humanhash: alabama-yellow-oranges-alanine
File name:QUOTATION_TML_617740.exe
Download: download sample
File size:775'004 bytes
First seen:2023-11-20 08:40:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (464 x Formbook, 184 x AgentTesla, 122 x SnakeKeylogger)
ssdeep 12288:o3KemAPIgJasmNB4fVEJrOhYjtJlcqOO/T3C1DPfXS+7vF52A21GDS6itERh4zig:u7PIgJaBseJrvLltOOr3C1zC+GGOG4eg
Threatray 730 similar samples on MalwareBazaar
TLSH T17DF423B142CD157BF06A6E742055EA67CF3B6000A978E42E2B2958375CF672FD6FC248
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
DE DE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/459266/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Gathering data
Gathering data
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a935b19b-6dab-4cae-b7c7-27aa56b24370
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1345036
Signature
Contains functionality to modify clipboard data
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4/
Threat name:
Win32.Trojan.Znyonm
Create hunting rule
Status:
Malicious
First seen:
2023-11-15 04:36:20 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jkn3b7vo5hka2uyxusjdfyinkghgqc33rtcxacnbtkeabozh5hca._file
Verdict:
malicious
Similar samples:
024ba3ede81d9ab14c13dc286cb2492cbcda7640d69bb9dc74f901e8217907b2
05d5b7b0b909b0921c90487f5e91cda6dfa9390432616d892bf7aed24f24104a
4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
81adbb94cf5758852ad9d3e7ba4d958b1943715c3837074c7fcaeeee22aadb7b
b12372f5d425850492ea6994a629f911d22653adf730ae750003d7f188bd43f0
cf7bad0b2b13efccb7df15f015ec51d766d5a63a2b5acec200fff093c6d70c03
e579ef01ba2f52a618ab1448543ea8646ea710cf168c64aff70f68e1c89f6cad
+ 720 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/231120-klez1sfe6y/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4
MD5 hash:
bf8b16340d010313b130398ac204a73c
SHA1 hash:
8097836e773a67d3be0fcadd923ea81fd2a2a8fa
Link:
https://www.unpac.me/results/5cf02724-e728-4b9d-b869-8cab4268e753/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 4a9bb0feaee9d40d5317a49232e10d518e680b7b8cc57009a19a8800bb27e9c4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/459266/

Comments