MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70
SHA3-384 hash: abccdb0343684de466ac53f38ceaad44b2f0029b0a3056f94bfca035fb7f7f86d5aa2d0537b75908e44d0e585988d4d6
SHA1 hash: c87be58e32dbd5019f81d1359e9e0b0a7f8e706b
MD5 hash: db91ebb2f8bafb222a12be79b1c75220
humanhash: seven-texas-xray-magnesium
File name:PAYMENT INSTRUCTION COPY. PDF.exe
Download: download sample
File size:1'288'704 bytes
First seen:2024-01-18 08:55:10 UTC
Last seen:2024-01-24 14:02:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cc2b3e63a50ba98c3412285dee7a8f0b (16 x AgentTesla, 5 x RemcosRAT, 3 x 404Keylogger)
ssdeep 24576:DqDEvCTbMWu7rQYlBQcBiT6rpFd+zGgB9BtXvk9GvtrWdOTvjvUwRsb2:DTvC/MTQYxsWPkzJnBtk9GVD7jv2
TLSH T1E055CF023382C066FFAB92B34B5AF2115B797D260123E51F13D91D7ABE701B1563E7A2
TrID 52.2% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
24.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
9.5% (.EXE) Win64 Executable (generic) (10523/12/4)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon a065646aeec646ec (21 x AgentTesla, 13 x Formbook, 5 x DarkCloud)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
318
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471461/
Detection(s):
PUA.Win.Packer.Ep-7
Create hunting rule

PUA.Win.Packer.Embedpe-3
Create hunting rule

PUA.Win.Packer.AcprotectUltraprotect-1
Create hunting rule

SecuriteInfo.com.Trojan.Generic.33203615.28472.17882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
autoit control greyware keylogger lolbin masquerade packed shell32
Link:
https://www.filescan.io/uploads/65a8e7a659502c0e7b39c1c7/reports/6088d583-6a00-4e3d-bc87-e07c3b2be20f/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/142d802b-55ac-465f-a59a-222106b179b1
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1376620
Signature
Antivirus / Scanner detection for submitted sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-01-17 19:52:43 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jr5idq3soal2hg5rmk3e45kxj6jrpgwwqsen3ytmtunhmkryp5ya._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240118-kv2kdaghd5/
Unpacked files
SH256 hash:
75b54f2b1ac4c10556366a286091d39ddc499ed66e46ea889f504d89780c8a56
MD5 hash:
6989526364483ae536329719c2c266ac
SHA1 hash:
34a42d3f94f30d527f57c22f7ee0cdc5640030e2
Link:
https://www.unpac.me/results/beff4631-a3bd-4811-a60e-e4135eddd9f6/
SH256 hash:
a2d849cbecb3dc496f35171e95512b83b1589ef788e178533cff772fa8a33a40
MD5 hash:
d11599cfbb84913f133096912f642a92
SHA1 hash:
16e239b541f11c603aecd6839c603ca3a8312c55
Link:
https://www.unpac.me/results/beff4631-a3bd-4811-a60e-e4135eddd9f6/
SH256 hash:
4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70
MD5 hash:
db91ebb2f8bafb222a12be79b1c75220
SHA1 hash:
c87be58e32dbd5019f81d1359e9e0b0a7f8e706b
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/beff4631-a3bd-4811-a60e-e4135eddd9f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 4c7a81c3727017a39bb162b64e75574f93179ad68488dde26c9d1a762a387f70

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/471461/

Comments