MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SendSafe


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0
SHA3-384 hash: d50afbcb32281d8b00883d69f62900cb08a98d959cee42a434ad78580a979c8847682e6e4a7183fc9902e6f31e1219b1
SHA1 hash: e6d1ba18bdb941636a2f03f4199e6fe46c04c3d3
MD5 hash: 13cf6e639bd4d6c7478f438e001beec7
humanhash: ten-hot-tennis-king
File name:13cf6e639bd4d6c7478f438e001beec7
Download: download sample
Signature SendSafe
Create hunting rule
File size:1'975'640 bytes
First seen:2021-07-06 22:36:06 UTC
Last seen:2021-07-07 00:10:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fee9a94171107f726d5f8efe9e99a932 (1 x SendSafe)
ssdeep 49152:p528wME4n6U/COuRMdt/8zexPwT0zZb9Im/xnGi5GvJs:bdFuzelA01si5CJs
Threatray 5 similar samples on MalwareBazaar
TLSH 6A95F10675C8DFB7D18792759980D2B24207FC46976CB0C7F2C1BB9E21717F6422A3AA
Reporter zbetcheckin
Tags:32 exe SendSafe signed

Code Signing Certificate

Organisation:PBAJUXZSQTOPNBCUHL
Issuer:PBAJUXZSQTOPNBCUHL
Algorithm:sha1WithRSA
Valid from:2021-05-24T10:39:14Z
Valid to:2039-12-31T23:59:59Z
Serial number: -7191f978c4099752b388fdb8cb6409f7
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ee33266f16e671f9c9d3a1380b8379031a8edcc3ee73c1d0b6c26f8c5153c1c2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'039
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
13cf6e639bd4d6c7478f438e001beec7
Verdict:
Malicious activity
Analysis date:
2021-07-06 22:39:45 UTC
Tags:
trojan sendsafe
Link:
https://app.any.run/tasks/f648f4d0-4111-4068-a8ee-3bd8dfb00de2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170088/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.27959.20965.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a0719dde-793a-4cc4-8221-a6ea566567e7
Result
Threat name:
CryptOne
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/812605
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CryptOne packer
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445016 Sample: POsmWUVecb Startdate: 07/07/2021 Architecture: WINDOWS Score: 80 25 Multi AV Scanner detection for submitted file 2->25 27 Machine Learning detection for sample 2->27 7 POsmWUVecb.exe 2 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        15 9 other processes 2->15 process3 dnsIp4 21 31.44.184.119, 50016 PINDC-ASRU Russian Federation 7->21 29 Detected CryptOne packer 7->29 31 Detected unpacking (changes PE section rights) 7->31 33 Detected unpacking (overwrites its own PE header) 7->33 35 Changes security center settings (notifications, updates, antivirus, firewall) 11->35 17 MpCmdRun.exe 1 11->17         started        23 127.0.0.1 unknown unknown 13->23 signatures5 process6 process7 19 conhost.exe 17->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0/
Threat name:
Win32.Trojan.CrypterX
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 22:36:20 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ksfozjr4owhis2ujlgq7bjg4zvp4q6xfplyusfxfjj7uowearwya._file
Verdict:
malicious
Similar samples:
38d3f45c15d354a76eaa73d2da717165dee22b8207fa87088685486019ff482d
SendSafe
639040459f4506fcc0c84cc54b42d3510792d5dbbe81badecadcb040965311f5
SendSafe
6ec5a40cb123440086c8c5371bfe69de18882714f2d3bc9bb9c4a9a9c151f009
SendSafe
a9a117ae98fd5a5f90a2058461be2dc525bde25a920d9acaeae2490633587392
SendSafe
aba57bf3e798f491ef816d1b91cd5a7d81c72c725d2bd62e94346fc5028593f5
SendSafe
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210706-7gxdgwyv8s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
934c92a63aba51381c4e4d41cd305a36559fe5a617dad15a37386928f255a272
MD5 hash:
7b3ac8eb529eb4164a1521a8dbf10689
SHA1 hash:
a3180e4619590554e218d0d9b0c8fdfdbbfc7662
Detections:
win_sendsafe_auto
Create hunting rule
Link:
https://www.unpac.me/results/f136472c-f22a-40f1-a920-745af96c89b2/
SH256 hash:
548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0
MD5 hash:
13cf6e639bd4d6c7478f438e001beec7
SHA1 hash:
e6d1ba18bdb941636a2f03f4199e6fe46c04c3d3
Link:
https://www.unpac.me/results/f136472c-f22a-40f1-a920-745af96c89b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:sendsafe
Create hunting rule
Author: J from THL <j@techhelplist.com>
Reference:http://pastebin.com/WPWWs406
Rule name:win_sendsafe_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

SendSafe

Executable exe 548aeca63c758e896a8959a1f0a4dccd5fc87ae57af14916e54a7f4758808db0

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1431933/
Cape
Cape
https://www.capesandbox.com/analysis/170088/

Comments


Avatar
zbet commented on 2021-07-06 22:36:07 UTC

url : hxxp://kubantr0.ru/119.exe