MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00
SHA3-384 hash: cb7c2636e898c217ccd4a222cd602991ba705ca16b916f4b847328dd3cd03d84562265f9309655b7d2a044a017f4fa39
SHA1 hash: 133e77944a3a96d1990625852a7aca07d14aea18
MD5 hash: e45990d9beb47680277902b0d58ac979
humanhash: single-mobile-blossom-charlie
File name:RFQ201.exe
Download: download sample
File size:8'614'400 bytes
First seen:2021-01-08 08:26:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:O5m0UrcAmyLMJHxHp9oSlGUAJaOeiCRqKoe:
Threatray 17 similar samples on MalwareBazaar
TLSH 8F865C116FD3254EF2F3E07612B19AD6AF38FA7A72845A1D825D2B554C03F862F83D06
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cbdjo.cam
Sending IP: 111.90.159.32
From: Daniel Gomez <sales@my-equipment.com>
Reply-To: mzahar04@protnmail.com
Subject: FW:RE:RFQ
Attachment: RFQ201.zip (contains "RFQ201.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ201.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-08 08:34:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10417860-8ab4-4ad7-a445-9301773beb5b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110943/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36043027.6075.3250.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a window
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/576497
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 03:51:51 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kzzh2zx3j22prtwturri5g6or67knbfkl3ikwbcb3pb52kohj4aa._file
Verdict:
unknown
Similar samples:
52bbd5f868a0a36d7f3ef1d675a8553414cf5057bf2b99b871fec5bcf0720122
58909bdbe9145136b971a479fe4eb668fcf23278cd14c29b8526ef0627a5ba0f
5c099242c7525e8af2adb86a20685cdab5c9a7c2b7da862a843e5baf63204f4e
6f96c1cc562c104cb339f346411c7b983c42ccded781115e1de67d645df9a00a
7380f791a7bb79b986dba49ba94e0f2e4a16abeccb3a7117d5acf27c3977a530
9571c8778f8fbce9e3bda5437cbcc7d7a6623d7ae13b7a3ec127c2ab6e7f4ca4
ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba
b9f26773127ea443af79c294d1b3a16f8d98556976780aff8e98f37a2ac5ad99
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
fd16b4767d7764fde593f6b7d6449ccb233c18270bf45d67edde500c5028dc94
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/210108-zq3a65x9h6/
Behaviour
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00
MD5 hash:
e45990d9beb47680277902b0d58ac979
SHA1 hash:
133e77944a3a96d1990625852a7aca07d14aea18
Link:
https://www.unpac.me/results/9a633052-6e89-4fb6-a4a7-7db2ba0b6bfd/
SH256 hash:
977f03c546cf51e7a294f76493a4fdf00b15b0e97568edb8488c25b960b81b62
MD5 hash:
e3bb5b1a8480497fb00d866f1162149f
SHA1 hash:
313035f7d54c39d16f2a74f6b754c6f19459dc75
Link:
https://www.unpac.me/results/9a633052-6e89-4fb6-a4a7-7db2ba0b6bfd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 7a17bc57844db8021dda9327911eda9aa92e1f438e991b2759f19ec6d22819dc

Executable exe 56727d66fb4eb4f8ced3a4628e9bce8fbea684aa5ed0ab0441dbc3dd29c74f00

(this sample)

  
Dropped by
MD5 eb355d317b0ca937849199e287f5129f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7a17bc57844db8021dda9327911eda9aa92e1f438e991b2759f19ec6d22819dc
Cape
Cape
https://www.capesandbox.com/analysis/110943/

Comments