MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000
SHA3-384 hash: adff405507e544aedbe16deda503ad95fed42b770ca6b2164684e57524494a1e8a59d075784435352188c0cced643efb
SHA1 hash: e3935b041c9ff7a12d6c6622d16aad30f6a21bf3
MD5 hash: 988a0c01a18e92a42a48b33614f0a446
humanhash: may-cardinal-four-alaska
File name:Payment Receipt.exe
Download: download sample
File size:544'768 bytes
First seen:2021-02-22 07:29:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ce95782f94d8c06a522ef2ce68f3fe9
ssdeep 12288:uJZJpZFS02i46A9jmP/uhu/yMS08CkntxYRJ:uJZ7ZFiNfmP/UDMS08Ckn3E
Threatray 4'831 similar samples on MalwareBazaar
TLSH FDC48D17EB10F10AE452C8B02965929B67397D321280AE03F7C16F5AA6726D7BCF570F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: zmail.lkcl.in
Sending IP: 180.211.114.254
From: Basudeb.Pan <info@lkcl.in>
Subject: Payment Acknowledgement Is Attached
Attachment: Payment Receipt.zip (contains "Payment Receipt.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118242/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.11011.10092.19889.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Sending a UDP request
Creating a process from a recently created file
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/613800
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355911 Sample: Payment Receipt.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 84 20 Multi AV Scanner detection for dropped file 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected VB_Keylogger_Generic 2->24 26 5 other signatures 2->26 7 Payment Receipt.exe 1 15 2->7         started        10 keaaxqch.exe 2->10         started        process3 file4 18 C:\Users\user\AppData\...\keaaxqch.exe, PE32 7->18 dropped 12 cmd.exe 1 2 7->12         started        14 keaaxqch.exe 1 13 7->14         started        process5 process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 03:54:25 UTC
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt3wx76unc73hcvpblnq7ln7zh5dvfd3iigqalbca3sxzac6maaa._file
Verdict:
malicious
Similar samples:
0de8c08eef7182d528e0d4f959ec604d4f1dec3340951a8567f17d930968004d
1b712bad801de2511bf70f81798ecb681e44aff94cfa82945163c006ccc72224
1f2ea9ef433792f61c4b84cc41f129953190e2ba59469110ed3151b283df2844
2464c809da65df86726890a34440bd4890ae90913d617beecf606069d5079dc4
4a1ebe8938ac9ac6ae7b502c4561bf514bc47ccdb87abae9777a5ac526d6540c
64f35fe447d4a0c881b98a7542e8f7435dad594f8bd0b8bf457e3bd23b3d04f3
97221489af92e73d97d57dcd41e20fb3dcce3ecbf6d300fcbbd87cf631fc6536
b740187c22ed9782ff2ccdb6d2eb79b1737c7edd5e7882c27d26f777928fc40d
cc0614f4e21c1d63a80e1ddecfd591353e15aa849f754be9d8b709cc6e9841c9
eca9894179ef698c8568b19123c1cea81607e5523804827c91fb12d228faf34a
+ 4'821 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210222-gy2whz6mdx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000
MD5 hash:
988a0c01a18e92a42a48b33614f0a446
SHA1 hash:
e3935b041c9ff7a12d6c6622d16aad30f6a21bf3
Link:
https://www.unpac.me/results/b9b7abc4-4417-4991-910f-8251da9ef396/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 9ccb83ac658508256311a37242311da5ad732e9e6d5f58c84655291a3018a804

Executable exe 54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000

(this sample)

  
Dropped by
MD5 b4f12b8cf550b7d42a7e4a854e98472e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118242/
  
Dropped by
SHA256 9ccb83ac658508256311a37242311da5ad732e9e6d5f58c84655291a3018a804

Comments