MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c
SHA3-384 hash: 798c5e5b02aa870dc8e4316574801c50f1a412a07f37585c43341867436f74566fddb19da4512f1308130e0016d057c7
SHA1 hash: 2371e638682b62b64ddb753bafa4558ab320e587
MD5 hash: ebe19768a5489ee4fa2d6e8d19290666
humanhash: green-queen-butter-double
File name:PO_4000010871_RFQ_PRS_1000024753_RM.exe
Download: download sample
File size:3'769'647 bytes
First seen:2021-04-01 07:24:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:BRHA3hfl5fjJFa4wPu/1Nf1QTGRhkfh4A1D27+k:BRHA39J4Bu1Zch4427L
Threatray 1'528 similar samples on MalwareBazaar
TLSH DF06334305EB2EE8D53816713A770FEDC7943A824782E4AE7C8561490BF918D7FA72C6
Reporter abuse_ch
Tags:exe HostGator


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gateway36.websitewelcome.com
Sending IP: 192.185.196.23
From: Procurement Department <ceo@sakhargroup.com>
Subject: PO: 4000010871 - RFQ PRS :1000024753- RM-1
Attachment: PO_4000010871_RFQ_PRS_1000024753_RM.ISO (contains "PO_4000010871_RFQ_PRS_1000024753_RM.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO_4000010871_RFQ_PRS_1000024753_RM.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 08:06:39 UTC
Tags:
stealer trojan phishing
Link:
https://app.any.run/tasks/11ba3548-e65d-4e5d-9545-dda524428073

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130508/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.64145.18465.3725.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Creating a file in the Windows subdirectories
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Reading critical registry keys
Deleting a recently created file
Replacing files
Creating a file
DNS request
Connection attempt
Sending an HTTP POST request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661886
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-04-01 07:24:19 UTC
AV detection:
14 of 44 (31.82%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krxfgidxhci4cydcd3ez2sh3jwinnvmlyjvlahl6li7rn7wjmnwa._file
Verdict:
malicious
Similar samples:
13409a886c8f0bd8a991f67ce2d8864dec2574fc456f3179d0332026606546aa
146dd15ab549f6a0691c3a728602ce283825b361aa825521252c94e4a8bd94b4
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
9237e5cae5f698d5ad9f6c61af8bd866e599abb05f5bc49474d98e269a29a588
a53dac7e98824879e0571fbac851d515d9727c41ee7b13148cf99433e6a6b9ae
a78df3ea7c9bcf96c6c9db033be7a66d9c418c1acfa3c8efc3c4ba313c5b4fad
ad3c67acd7773a47ac0d46c544f1bcaa03ddbeb577b195e66fc4a15cd4413dab
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
d367eca88434cb310aad91f251c9baa7d11fcd2ffd2c0f0cbb35595445a27698
fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559
+ 1'518 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware stealer themida trojan
Link:
https://tria.ge/reports/210401-7ndrcv1fan/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
themida
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
b6e61d4a8e0fe205cd03d4fa1d9ffc4ce8c77b9a3efecdb6f9523dccf6bd9864
MD5 hash:
345da28112fc97cbad74e45c510fd783
SHA1 hash:
dc88113783ed200262428c3000c35fdd093c5b64
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
8820f2380b8ac40cfee48c951ac368dce0735f86c7b05283d9583282e2507891
MD5 hash:
1284d0a6e0634fc564ad860c43a5291e
SHA1 hash:
5faf2556793d1f8fcb72b285380f69980544d6b1
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
e4fec7feeabbea4178ff5ad5e8e049c6cac9f0e492690dd8027f1e7bbe287fd4
MD5 hash:
a850708e507db81040601d5a4e0fe437
SHA1 hash:
5eef0dc7e92bb7f4bd7faac0d5d7ad6a14071389
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
f58c374ffcaae4e36d740d90fbf7fe70d0abb7328cd9af3a0a7b70803e994ba4
MD5 hash:
5afda7c7d4f7085e744c2e7599279db3
SHA1 hash:
3a833eb7c6be203f16799d7b7ccd8b8c9d439261
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
28c85f29ac63a2aac0aeaa41b37f640296b1bf2ff672e9452ed30527065d5c54
MD5 hash:
b5a33f68e98ef6f08cc4d1dbce872e16
SHA1 hash:
07a4a43009951a56ba3cd89f8f4be181aebb9cfd
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
SH256 hash:
546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c
MD5 hash:
ebe19768a5489ee4fa2d6e8d19290666
SHA1 hash:
2371e638682b62b64ddb753bafa4558ab320e587
Link:
https://www.unpac.me/results/8b7c4f8d-88f2-400e-b136-de662ca6e0e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Andromeda_MalBot_Jun_1A
Create hunting rule
Author:Florian Roth
Description:Detects a malicious Worm Andromeda / RETADUP
Reference:http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/
Rule name:Chrome_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Chrome in files like avemaria
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_SUSPICIOUS_EXE_Referenfces_Messaging_Clients
Create hunting rule
Author:@ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso 3b9ed58b0257f47f063f185e5254ad039eeeb26aa86d6b193b4e4db309f82f63

Executable exe 546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c

(this sample)

  
Dropped by
MD5 7b17b1552bcacec5e94b32e10c0bd415
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130508/
  
Dropped by
SHA256 3b9ed58b0257f47f063f185e5254ad039eeeb26aa86d6b193b4e4db309f82f63

Comments