MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 6
| SHA256 hash: | 4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889 |
|---|---|
| SHA3-384 hash: | 3aae5f47a4c381ab0b4ac00cd8863ad9e67a3194a3ebe3e3111de20c2afd1ef467f80fea26277acbd81c24a7e479ceed |
| SHA1 hash: | bf0a9d5cb66a0b6c8de86276425c3fc1237dc710 |
| MD5 hash: | a8fdad1ac5215064bd7ffa1df315de0d |
| humanhash: | network-october-fillet-thirteen |
| File name: | inquiry canton fair.com |
| Download: | download sample |
| File size: | 523'776 bytes |
| First seen: | 2020-08-10 11:48:51 UTC |
| Last seen: | 2020-08-10 13:15:04 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 6144:Fp/w0DMLJr0k7LY6RiPPQ+9Us6XG0giWpiA3fxhw3ckjQI1mnKiN:F1cx050SZ/6PgrpiA3MckjQc |
| Threatray | 83 similar samples on MalwareBazaar |
| TLSH | 33B45DD61F8ABE81D3E50731EF3EF6B0C314BE2D07978A789A81B55E307A2137495690 |
| Reporter |  abuse_ch |
| Tags: | com |
abuse_ch
Malspam distributing unidentified malware:HELO: m97139.mail.qiye.163.com
Sending IP: 220.181.97.139
From: Santiago Rodríguez <luohy@cvc.org.cn>
Subject: Re: Inquiry 3 x 40’GP from santiago
Attachment: inquiry canton fair.com
Intelligence
File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a file in the %temp% directory
Connection attempt
Launching a process
Deleting a recently created file
Deleting of the original file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Signature
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-08-10 11:50:11 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 73 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
7/10
Tags:
n/a
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Loads dropped DLL
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe 4e9725c1d27ec7cf15d2b159b703764c59ee647a76060e937fbfca3a73ecf889
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.