MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1
SHA3-384 hash: b410c24c822215aceed1c3f39451e39cb65c7848bca0cd83cd3b9f80251bd5f56c213fe975c84bab40bf4c470aeb306f
SHA1 hash: a09ceab3de7c75e555dcac1949b1bbc6cbf6a563
MD5 hash: 90a745c504d2f7072351b0e261bcd264
humanhash: hot-east-early-venus
File name:purchase_order#123.exe
Download: download sample
File size:215'552 bytes
First seen:2021-09-02 11:17:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1ae303f9ca154f97154a83434ad1cdc6 (2 x Loki, 2 x AgentTesla, 2 x AveMariaRAT)
ssdeep 6144:AwEfD/i1lkemVTtOASZNaEz2d17DnFcXpuVy:emetOfNI76E
Threatray 749 similar samples on MalwareBazaar
TLSH T11124F736F781F42EE482447DBA09EFA55424393029A9C443F7C1AF1B78715EADA25F0B
dhash icon d0d6969696ccd4d6 (26 x SnakeKeylogger, 5 x RemcosRAT, 2 x Formbook)
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
purchase_order#123.exe
Verdict:
Malicious activity
Analysis date:
2021-09-02 11:19:41 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/f259b1da-43f1-4a02-8d80-430438eb874e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184735/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Malware family:
Dimnie
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/27ebde54-8826-4069-a32a-2941b4d1d5cd
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/843940
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-09-02 11:18:06 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=laqoyetyiyynmhsjrobtfopxdpux3ngrhve2yh4bry5yrjebspqq._file
Verdict:
malicious
Similar samples:
0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
418b71760c6de41ed293744610e252c7474decd221371ffa449411dde751be46
4347930ebc98dfd11b612dd288b68f23b67d3fcb4afd5e3963e55283f951ba0e
59c0a91faf884e242be0d2384d94eba2536a8f155ae568355eed225f2543176e
6e51e43998abedba64180c3c2b4c6c36028ad00706ad37e3baca1562bc966909
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
e61195d0d4b897536f0cc090d36140099db443b5b913894d13cd76f7abee36b6
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
+ 739 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/210902-yqva189rxa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Unpacked files
SH256 hash:
5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1
MD5 hash:
90a745c504d2f7072351b0e261bcd264
SHA1 hash:
a09ceab3de7c75e555dcac1949b1bbc6cbf6a563
Link:
https://www.unpac.me/results/086b5d91-d74b-4aa2-9d5d-2ec8a1545b71/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5820ec127846/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 5820ec12784630d61e498b8332b9f71be97db4d13d49ac1f818e3b88a48193e1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184735/

Comments