MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef
SHA3-384 hash: 320c610bbeef8f87c76d516c642daee38a560ab3716dd3fbd949bf135006a5c91af02af8db31c02e1110c822124856d3
SHA1 hash: 97decceedc4e24d03c45cadafb88940695ccfcae
MD5 hash: b21f6724198f32941b6dec8e63a3acd2
humanhash: ten-summer-monkey-wyoming
File name:Order_015_pdf.exe
Download: download sample
File size:1'285'120 bytes
First seen:2021-03-31 07:02:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:Wui3H9U2GU/8moxmAAXgUUdPdvzgS3c0x3:WNmD9XPdv0S3t3
Threatray 149 similar samples on MalwareBazaar
TLSH C355DFE8350075DEC81BCD3689641C209A61BDFA570BD603901776ADAA3EACFCF951E3
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail24.lwspanel.com
Sending IP: 91.216.107.39
From: Jessica N. Aguilar <jessica@vae.ahk.de>
Subject: Re: Order request...
Attachment: Order_015_pdf.tar (contains "Order_015_pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order_015_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:22:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/05a48f33-66c2-444b-9f8b-21fb078aef22

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129179/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.601-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Creating a file in the %temp% subdirectories
Deleting a recently created file
Replacing files
Reading critical registry keys
DNS request
Connection attempt
Sending an HTTP POST request
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/659988
Signature
.NET source code contains potential unpacker
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 00:32:09 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kym4qok5kbwaltv5ctlbixehvb7ffmtfujccvjw35jbr7fgcf3xq._file
Verdict:
malicious
Similar samples:
15008ec3816e2a10d985e9763ac5d64bbc70ddaee7dc0db5686dca17a466045d
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030
3315dba57b06d3e95fdab93ad09e5a67755b7ecf81274b0907cfe2e051e36b3b
5480340b2822c69c55e9ba2251adc3efb3a258894fd4581e836268275501cfa3
57b3bc2626b9c7fa3000e8be451e8b5799e39e0c9c957847467623a26e2c0652
5a746e5d571da38e2d3a73e37500182ce14cc15ba5dcef30851cfbbeeacd73cc
65c205b93cf9c6d9e9acd5336e010a43309688bfc2e28cffbb5ba8973757fd49
b5188b0e21575407dbfc61df11d80353a6fec4f57098596b45e37bc746ba58e9
c973d5e41c51df55c3b09912bd981cd4872c3a65869f298ffb281db49ba1bc2a
e58365faedd335953c8f41dc5d7e9056c6db3924628dcf977ad7e556410d558a
+ 139 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210331-58qr82mpkj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
00707d997b691c28bc51bde5f419d572d8e34bbc0d5ba6dfacd213f2460f6eb6
MD5 hash:
32a4d8ce734c06fe20c3fa793eab13ad
SHA1 hash:
527326cbeb517a6ca062286a63a995bc858b17fe
Link:
https://www.unpac.me/results/d3d1d657-0de6-415e-98e5-22e96168fb0c/
SH256 hash:
7e5a84714fc4cdb5d895bcad022c500d53e46d346a47d6df455780e68bfbad5b
MD5 hash:
bafbad775f319abbcfb4fe0c75eb4d9a
SHA1 hash:
5168cfb0bdee54a8754b1c379d187ca01265c007
Link:
https://www.unpac.me/results/d3d1d657-0de6-415e-98e5-22e96168fb0c/
SH256 hash:
96e308c2809a9b475c894b0fb16cd5d9935cba50dca4792115f857b113720fea
MD5 hash:
a3680fcbe70aab731dc389cad11cfa08
SHA1 hash:
3692e4327ec73207c524cad2b85423b4603ff126
Link:
https://www.unpac.me/results/d3d1d657-0de6-415e-98e5-22e96168fb0c/
SH256 hash:
5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef
MD5 hash:
b21f6724198f32941b6dec8e63a3acd2
SHA1 hash:
97decceedc4e24d03c45cadafb88940695ccfcae
Link:
https://www.unpac.me/results/d3d1d657-0de6-415e-98e5-22e96168fb0c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

tar 891c9afdcd1f9e944149d7839f1dca9b720b72b795c6b6fd6e93cef9dcfbc02d

Executable exe 5619c8395d506c05cebd14d6145c87a87e52b265a2442aa6dbea431f94c22eef

(this sample)

  
Dropped by
MD5 f884b38a406ad29d5debd15386849d19
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129179/
  
Dropped by
SHA256 891c9afdcd1f9e944149d7839f1dca9b720b72b795c6b6fd6e93cef9dcfbc02d

Comments