MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010
SHA3-384 hash: cb42c20465cafab45b6249303446bca88920df1efa57dd5744985d198dd4116d65beb5d4cdcce805ef239f9a88e7d9ce
SHA1 hash: 0579f60b6153e79572c9742db42060519caa5101
MD5 hash: 735b721fab5155421daa6e98df7f1798
humanhash: alpha-seven-juliet-glucose
File name:090000000.exe
Download: download sample
File size:455'838 bytes
First seen:2021-07-08 05:38:41 UTC
Last seen:2021-07-08 06:39:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (295 x GuLoader, 51 x VIPKeylogger, 50 x RemcosRAT)
ssdeep 12288:WMwOVw7SS8WineieET8dq8vVo003HAszK4g0UT:WMwX7SNqdNva5gsM0UT
Threatray 38 similar samples on MalwareBazaar
TLSH T16DA43914011BE121CE2706B36A69DD19A00A6FB2AFB4D6BE908D75C3653BF891027DFD
Reporter cocaman
Tags:exe INVOICE

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
090000000.exe
Verdict:
Malicious activity
Analysis date:
2021-07-08 05:39:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2a39785a-e067-4ea5-b858-be6f02548af1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170342/
Detection(s):
SecuriteInfo.com.Trojan.Nsis.Spy.Gen.1.7595.28373.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14224890-ad97-45c0-a5ac-795de19ee716
Result
Threat name:
a310Logger
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/813260
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes or reads registry keys via WMI
Yara detected a310Logger
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445671 Sample: 090000000.exe Startdate: 08/07/2021 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 5 other signatures 2->56 7 woufmmnhbfwhgh.exe 15 2->7         started        11 090000000.exe 1 19 2->11         started        14 woufmmnhbfwhgh.exe 15 2->14         started        process3 dnsIp4 48 192.168.2.1 unknown unknown 7->48 66 Multi AV Scanner detection for dropped file 7->66 68 Detected unpacking (changes PE section rights) 7->68 70 Detected unpacking (overwrites its own PE header) 7->70 72 Machine Learning detection for dropped file 7->72 16 woufmmnhbfwhgh.exe 5 7->16         started        44 C:\Users\user\AppData\...\woufmmnhbfwhgh.exe, PE32 11->44 dropped 74 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->74 76 Maps a DLL or memory area into another process 11->76 78 Writes or reads registry keys via WMI 11->78 19 090000000.exe 7 11->19         started        46 C:\Users\user\AppData\Local\...\udqtqnq.dll, PE32 14->46 dropped 21 woufmmnhbfwhgh.exe 14->21         started        file5 signatures6 process7 file8 36 C:\Users\user\AppData\...\PASSWORDSNET4.exe, PE32 16->36 dropped 38 C:\Users\user\AppData\...\CREDITCARDNET4.exe, PE32 16->38 dropped 40 C:\Users\user\AppData\...\COOKIESNET4.exe, PE32 16->40 dropped 42 C:\Users\user\AppData\...\CONTACTSNET4.exe, PE32 16->42 dropped 23 PASSWORDSNET4.exe 2 16->23         started        26 CREDITCARDNET4.exe 16->26         started        28 CONTACTSNET4.exe 16->28         started        30 PASSWORDSNET4.exe 4 19->30         started        32 CONTACTSNET4.exe 1 19->32         started        34 CREDITCARDNET4.exe 3 19->34         started        process9 signatures10 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 60 Multi AV Scanner detection for dropped file 30->60 62 Tries to steal Mail credentials (via file access) 30->62 64 Machine Learning detection for dropped file 32->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-08 01:42:07 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
22 of 46 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jv7v2yzcsnpoorfljig3evoki4qmfjskuz3axomhgsjzsfs3waia._file
Verdict:
malicious
Similar samples:
0db3bd35b25826c66d2ebc8f3d009b44dcffbf66e7998b19be0cf4c0d8fec258
11db354a5d6b15b2aad9747f275e846283c9024a434d2f288e95abfd3ec7dfd7
77d69fc2f79de7f28dfe67e4cb6b7fa1e994a2a16831fd918d3dca53a523f2c1
788510bf3fc20aacc76bd0ed1884ff8452f4e79023f2f3ad3072efbd7e74139d
7d803e44c98cd23b971f692182f8d1d508fe82fb0fd6b681e7896c552d88411a
80b056a8c2fee08fd3361a8a271dea407425ca335275d49f81a1c50a06d9ed98
8532972f199b85a336710c894ddebea7560f7f19c774b52a0d648275960e4db4
8cf4d9a55d80942fbdf18648f7fa01768efc4783b439503d39d9ef98a85fb193
ae66143bb6965a7f1122c8eb776085ce679d038b8dd886f954ecd5e45aff4664
d5d6dcf7e05158c3d2abc10588ab6ca17cb2d4082720d8847b28894cafc0ead6
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210708-vl329rx66n/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
fec6382d8a478b4b56a42358d75ab3cb0e540c4d5aaa09c5ef9b1c87d95d9739
MD5 hash:
22487bf04bd297a56457548f9ffb2d5f
SHA1 hash:
fc9c75dbe58cd919248dcf0827ebf94e8e801e6f
Link:
https://www.unpac.me/results/3066d3a1-cab5-4b3c-827a-dcb0fb6b072b/
SH256 hash:
0f3827be21838ec7e34d86c10e412d08d37919e4599b1812afe063d8b709253c
MD5 hash:
ea3b72bc52bfd4ed8df1e3093c170709
SHA1 hash:
daaa4b8b9c9f012ee920729fdd5759625e80fd67
Link:
https://www.unpac.me/results/3066d3a1-cab5-4b3c-827a-dcb0fb6b072b/
SH256 hash:
73c05067173b3ea13c34fa4860bbb40f8788276e578d5a4199f1fc19c4df43b4
MD5 hash:
caa67a6370d6b189850516405139e9e5
SHA1 hash:
c5f44c4187f20986b989357511525cea1db54286
Link:
https://www.unpac.me/results/3066d3a1-cab5-4b3c-827a-dcb0fb6b072b/
SH256 hash:
4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010
MD5 hash:
735b721fab5155421daa6e98df7f1798
SHA1 hash:
0579f60b6153e79572c9742db42060519caa5101
Link:
https://www.unpac.me/results/3066d3a1-cab5-4b3c-827a-dcb0fb6b072b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip a5540e6a974ffc5879d8a7398e96655c2705b0b5941e434624fc6ec50e810c26

Executable exe 4d7f5d6322935ee744ab4a0db255ca4720c2a64aa6760bb987349399165bb010

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a5540e6a974ffc5879d8a7398e96655c2705b0b5941e434624fc6ec50e810c26
Cape
Cape
https://www.capesandbox.com/analysis/170342/

Comments