MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2
SHA3-384 hash: c136430c9bb5309568d08d2a6ff86c83a75854c9ec74bb482c8cbb6f6018e938c58ee1db24b194caeed64b91979abc20
SHA1 hash: a85aac65ea7927b9b787207fcfcbeb357a4fce85
MD5 hash: caf57d99885af6e6cd0e2e6f4e991cc0
humanhash: yellow-cup-west-edward
File name:Orden de compra No 2413613955.exe
Download: download sample
File size:984'704 bytes
First seen:2021-06-20 07:26:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a08047ed05d96265100ca97553e90f55 (1 x NetWire)
ssdeep 12288:qKWXw4bc1NhDVFvci6VXI7ikDOHFR6ly2WGTZt6TqX0uNb+T0HXX+jBnnXLVgKRs:q5XYfDjAVrk6FIl5ZtGq/XQB/E
Threatray 18 similar samples on MalwareBazaar
TLSH 96256B59A103C5F1D9272AB84C2A56A8D4EA7C333B34CC4A26B47A4D7AFF2903D1DD47
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Ejlympizbkhrkekyihjfzizdpcjmtonaql_Signed_.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-11 12:50:52 UTC
Tags:
installer
Link:
https://app.any.run/tasks/c39d3ac2-527b-4fc1-b484-70545717e29b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167144/
Detection(s):
Win.Trojan.Generickdz-9872717-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Loki
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0979e810-4fac-4424-823d-24da73759b1c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/804862
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2/
Threat name:
Win32.Infostealer.BestaFera
Create hunting rule
Status:
Malicious
First seen:
2021-06-11 17:09:34 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jynr2nellvsdgcgl57czlr7doyoxteukixclnoojg7jybujvwhba._file
Verdict:
suspicious
Similar samples:
0d182038f62a038b380a4d3c3769d5eb389b08b194b7dce13606252e7e1aff1c
196789782f6dcb856fb75cc2f08f70fa7643ce5183ebba9b677253d86cac9b41
22cfc4b78b3482f98f18795cd81276a8984604fa808ee9364d0db3fa49dbc598
282944c962e2fe2cf8e1b42218dbcfc5a7cd5f694a5ebf6b77d276d00e58f6b9
3f5ccdc99b29651852d447f8587f5cfa5e108ea10dba0eed36d436a4b6e73719
5759a1711d0f78b7be3f76aa9e451516f93d91370586f863dd5a68291c82ee3b
7df259f7873239aee108522c3efd6fca233db83a268a3c9fad4766994c5a029d
960cd364b10841b71b638aca1807d5667cf340e76102389d45d7df4c17401ed2
b3d6d97ed4c74d16ab89046ee019d874b8cc1a8ca257e132b3d2cbd146a48545
f4f27e005b5381e5d1eb3d1d95cd4ae5c963c7601934254ebe266f08cfaf78d2
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210620-naj7w16m1n/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32
MD5 hash:
3e9b080fb62948db627a904b7af653ea
SHA1 hash:
93a66126bdeb846724b41d44c6a7cac15c5ed636
Link:
https://www.unpac.me/results/936ac6d5-ac4f-4bb9-b108-1ca320819c48/
SH256 hash:
4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2
MD5 hash:
caf57d99885af6e6cd0e2e6f4e991cc0
SHA1 hash:
a85aac65ea7927b9b787207fcfcbeb357a4fce85
Link:
https://www.unpac.me/results/936ac6d5-ac4f-4bb9-b108-1ca320819c48/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e1b1d348b5d643308cbefc595c7e3761d79928a45c4b6b9c937d380d135b1c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/167144/

Comments