MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57c248e2b2943aca0f672bd585cf3f959151973643bd0a04aebd35b87724dadb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57c248e2b2943aca0f672bd585cf3f959151973643bd0a04aebd35b87724dadb
SHA3-384 hash: d550ee818881a2c5f3579a6342594e8a8607b4810942cc58728631e3afd0172bc382147abfd3f0a2a97290b62a26043a
SHA1 hash: 74e528c44b5ca1377ce86beb9bebb28fff675d48
MD5 hash: 87d72a231677a812a80be1dffaea8a6e
humanhash: utah-lamp-monkey-social
File name:RFQ-2018283ORDER.DOC.doc
Download: download sample
File size:42'264 bytes
First seen:2020-10-07 16:43:27 UTC
Last seen:Never
File type:Word file doc
MIME type:application/vnd.openxmlformats-officedocument.wordprocessingml.document
ssdeep 768:nI5fWu2jvYT98q2BOw201+8v+xgR0ew15SUzCAaFb6:8fOW8qvwr+8vcU0huU+O
TLSH B913E121F8297D1FDE62C7FC987980A1E295424FBAC5C58F29C4691E97116C24732F8D
Reporter abuse_ch
Tags:doc


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: digitalup3.mynewserver.com
Sending IP: 138.201.249.139
From: Mohsen Chahine | CEO <carlos.gagliardi@fibertel.com.ar>
Subject: RFQ # Q20182401 // ORDER_N ° 10014 //New_Suppliers_Ord er / [OCT-DEC]
Attachment: RFQ-2018283ORDER.DOC.doc

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Bypassing of proactive protection methods using Windows Management Instrumentation (WMI)
Launching a process by exploiting the app vulnerability
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484305
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Compiles downloader code with a AMSI bypass
Creates processes via WMI
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294596 Sample: RFQ-2018283ORDER.DOC.doc Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for domain / URL 2->33 35 Antivirus detection for URL or domain 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 7 other signatures 2->39 7 powershell.exe 14 25 2->7         started        12 WINWORD.EXE 31 49 2->12         started        process3 dnsIp4 31 onlygodem.com 91.223.82.173, 49710, 80 IWSNETSE Netherlands 7->31 23 C:\Users\user\AppData\...\ux352a43.cmdline, UTF-8 7->23 dropped 25 C:\Users\user\AppData\Local\...\ux352a43.0.cs, UTF-8 7->25 dropped 41 Compiles downloader code with a AMSI bypass 7->41 14 csc.exe 3 7->14         started        17 conhost.exe 7->17         started        27 C:\Users\...\RFQ-2018283ORDER.DOC.doc.LNK, MS 12->27 dropped 19 splwow64.exe 12->19         started        file5 signatures6 process7 file8 29 C:\Users\user\AppData\Local\...\ux352a43.dll, PE32 14->29 dropped 21 cvtres.exe 1 14->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57c248e2b2943aca0f672bd585cf3f959151973643bd0a04aebd35b87724dadb/
Threat name:
Document-Word.Downloader.Obfuser
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 15:02:03 UTC
AV detection:
18 of 48 (37.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7beryvssq5mud3hfpkyltz7swivdfzwio6qubfoxu23q5ze3lnq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/201007-t8gr6fewvx/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in System32 directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Blacklisted process makes network request
Executes dropped EXE
Process spawned unexpected child process
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/57c248e2b2943aca0f672bd585cf3f959151973643bd0a04aebd35b87724dadb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Word file doc 57c248e2b2943aca0f672bd585cf3f959151973643bd0a04aebd35b87724dadb

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments