MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3
SHA3-384 hash: 228c32f87eb6e4bd683e2ceba2a19a0c5646e6834de1cdb61783b5e75c8bdd6c8337803d722a3305240bdfdd9c897b3f
SHA1 hash: 0011ad4dba04c1d05f47bbebe4bb3b24152bb881
MD5 hash: c1f56f9337287f7d8840ee5a33ef658b
humanhash: two-leopard-maryland-pip
File name:advice0512202003454.scr
Download: download sample
File size:2'308'608 bytes
First seen:2020-05-13 06:11:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f63caebe1e46d29542ea606034a7da47 (7 x AgentTesla, 4 x Loki, 3 x HawkEye)
ssdeep 49152:jztlR/GGap2oMSC+e6EJOuMMaoR8YLsNxgJjvF:jztU9MEe6EfXzRrLqWJZ
Threatray 4 similar samples on MalwareBazaar
TLSH 78B50122E2DD4F37C1B31A389D4B5264993EBD133E286E472BE41D4C5F39352392A297
Reporter abuse_ch
Tags:scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.riyadhceramic.com
Sending IP: 159.65.100.232
From: remittance@landbank.com.tw
Subject: Payment Copy from landbank Taiwan
Attachment: advice0512202003454.r05 (contains "advice0512202003454.scr")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.Trojan3.APDS.16897.29180.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 23:06:33 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jpis6sgauwq53gsmbxixiyhssqptugzlcg4vsynubexqoyrowxbq._file
Verdict:
malicious
Similar samples:
0c80fa8807477cff8c9c3ed7b2a857538f022b1e8829020d09f60bd71f1afd9a
3ee04e378f6430e85f5756093e80b243c2ebbcb9f2ee77cc32acd1cd9e333301
85d879be258470ed22d55bb6fda8be5d0b7d480c23d95b252516e85ccad2fec4
c0dfbb822dea47692a8ed0d266c518495f1a3efd3a4208fb5251bcdf08f18d42
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/201109-ndz1lmgene/
Behaviour
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

r05 1d507234fa513d491988dc984ee624ddfd376609282bf631193e9ab6ff84f401

Executable exe 4bd12f48c0a5a1dd9a4c0dd17460f2941f3a1b2b11b95961b4092f07622eb5c3

(this sample)

  
Dropped by
MD5 6c5e39a2ae7557a7550d7a31237a3eea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1d507234fa513d491988dc984ee624ddfd376609282bf631193e9ab6ff84f401

Comments