MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 505fe19102b268d7ba39c64ce2fa44281c7cea8c1052cfed2bac2a6b38d9cad3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	505fe19102b268d7ba39c64ce2fa44281c7cea8c1052cfed2bac2a6b38d9cad3
SHA3-384 hash:	02a7572c9e5d9dd3844272323deca33dfc06818493b0defeeaf060ae4599e5e7cc432a96c7e44bc16792c14d79710b34
SHA1 hash:	dc045bf560f88a0f389fd44390818456d45aa3bc
MD5 hash:	d483ba5491f279cc9d017802fabc0783
humanhash:	kentucky-louisiana-iowa-emma
File name:	file.exe
Download:	download sample
File size:	942'592 bytes
First seen:	2020-05-21 10:02:43 UTC
Last seen:	2020-05-21 11:14:45 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:xb4v5T1EsIoEGT8gMo8aqTgDI8bN4dw7NNyXxjpN7N9U:Jy1D9vT8gb89gDI7JXjxN9
Threatray	478 similar samples on MalwareBazaar
TLSH	501523207BFC5321EAF857715E70A690A3BAB24A5872D64C9DC270CF5E627424362F63
Reporter	abuse_ch
Tags:	exe geo VNM

abuse_ch

Malspam distributing unidentified malware:

HELO: fre.freespirittours.ge
Sending IP: 192.254.140.61
From: Nguyen Van Bon <epugnant@groupe-rdt.com>
Subject: Re: Re: Re: AW: yêu cầu đặt hàng bảng báo giá
Attachment: file.zip (contains "file.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

77

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.17.1788.12402.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-21 10:40:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

5

AV detection:

23 of 48 (47.92%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kbp6deicwjunporzyzgof6sefaohz2umcbjm73jlvqvgwogzzljq._file

Verdict:

malicious

Similar samples:

11898f39e67e27f6ff6b7b2065d92cc7c8dae4c020b8c0a85f6af1761e54c1fc

326d9a3cd91e4bc994ff17720650d3eb08d4c502ed4847f5fe8496b7ba50a6b9

3d5d31a764a3bd26d6601fcc3afb645c29eb9bf5d108727dc3ab712ab60f71dc

426110407bdba9dfe5a4f6d39d6369c8baf47008d7738765c3eb7d1ee62e3344

45970f8f1497ab648eb24a71690d876dc6e18ed42e95da854252ec79b7939ab6

4f3ee8bb321639618ea25d8ceb965d1c695255e5a28b48bd62a659f8b84872cc

64d3f072ba14d7090ee2acc9291feddc1639abcafc7f7e8e1d9a7af082232121

6d64b4e9f5d0ce23f886c24e546fa03e0f4022835e5c98249a6d4259a5d7fef7

eb105b408d5010f2bb82c8d5960af3303e96e7fd64d7777263d475c351b6d59c

f1df9397598b0d1809e96f11970c3c08166f95704a79067012ec23d7aa0aa353

+ 468 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

coreentity rezer0

Link:

https://tria.ge/reports/201109-qpbdqwrj3n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

rezer0

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 552581d2b51781af4b7189ba9fcdf305e979716a7aa35e0f9a3e2155dae0d341

exe 505fe19102b268d7ba39c64ce2fa44281c7cea8c1052cfed2bac2a6b38d9cad3

(this sample)

Dropped by

MD5 a25fcc84d9b58f4892368fb4a036f94d

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 552581d2b51781af4b7189ba9fcdf305e979716a7aa35e0f9a3e2155dae0d341

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample