MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c
SHA3-384 hash: 2f4b460b7eed57d697f98ce390dac7992fb375764aba8b5af155370358d54d9dc47af175bd4fb68f788eee1bb9869106
SHA1 hash: 98b77116172ade021d55f1f7ad852c58e4774b77
MD5 hash: 483d5d36359dd72b332e625147dac3e7
humanhash: fruit-victor-papa-beryllium
File name:483d5d36359dd72b332e625147dac3e7
Download: download sample
File size:3'149'824 bytes
First seen:2023-06-21 14:59:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:8jP25iV9iNaM4IRyZ1CL3P/NY7LB+oTZhex1LH/95u0CGAbWhmgxFYSfZJeq:
TLSH T184E59EE8D06F40C2EC076EC56828BAC7073236B3DDE50434376E7A089F7BDA95549E5A
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://michal-dolowacki.pl/editor_images/Order_form_KLS2301_07095501400000678.xlsx.pif
Verdict:
No threats detected
Analysis date:
2023-06-21 14:17:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0480ade9-2252-4db2-a7f2-550d1325c488

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401459/
Detection(s):
SecuriteInfo.com.PUA.EmbeddedEXE-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a UDP request
Creating a file in the %AppData% directory
DNS request
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6493107499f0c0cb0933409a/reports/78c18f41-b2a5-4230-8a19-8fdd6968e79c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f58506fc-31af-41cc-bf2d-201209fbe281
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1259128
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892146 Sample: ssunSuNYLh.exe Startdate: 21/06/2023 Architecture: WINDOWS Score: 100 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 .NET source code contains potential unpacker 2->49 51 4 other signatures 2->51 7 ssunSuNYLh.exe 1 4 2->7         started        11 Endfjqpiuxg.exe 1 2->11         started        13 Endfjqpiuxg.exe 2->13         started        process3 file4 37 C:\Users\user\AppData\...ndfjqpiuxg.exe, PE32+ 7->37 dropped 39 C:\Users\...ndfjqpiuxg.exe:Zone.Identifier, ASCII 7->39 dropped 41 C:\Users\user\AppData\...\ssunSuNYLh.exe.log, CSV 7->41 dropped 53 Writes to foreign memory regions 7->53 55 Modifies the context of a thread in another process (thread injection) 7->55 57 Injects a PE file into a foreign processes 7->57 15 cmd.exe 1 7->15         started        18 MSBuild.exe 2 7->18         started        21 cmd.exe 1 7->21         started        59 Antivirus detection for dropped file 11->59 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 23 cmd.exe 1 11->23         started        signatures5 process6 dnsIp7 65 Uses ipconfig to lookup or modify the Windows network settings 15->65 25 conhost.exe 15->25         started        27 ipconfig.exe 1 15->27         started        43 prelogs.duckdns.org 217.64.149.248, 2023 OBE-EUROPEObenetworkEuropeSE Sweden 18->43 29 conhost.exe 21->29         started        31 ipconfig.exe 1 21->31         started        33 conhost.exe 23->33         started        35 ipconfig.exe 1 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c/
Threat name:
ByteCode-MSIL.Trojan.Remcos
Create hunting rule
Status:
Malicious
First seen:
2023-06-21 06:04:53 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
21 of 37 (56.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ln5lu7exc4srhcd7kxuvbhskekrez5fgvedtpdvbb26kpjfdriwa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230621-sdbavsbd41/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Unpacked files
SH256 hash:
5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c
MD5 hash:
483d5d36359dd72b332e625147dac3e7
SHA1 hash:
98b77116172ade021d55f1f7ad852c58e4774b77
Link:
https://www.unpac.me/results/8a7d5f4d-8093-4748-94bd-776bf949c396/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5b7aba7c9717/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 5b7aba7c97172513887f55e9509e4a22a24cf4a6a907378ea10ebca7a4a38a2c

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/401459/
  
URLhaus
https://urlhaus.abuse.ch/url/2668508/

Comments


Avatar
zbet commented on 2023-06-21 14:59:34 UTC

url : hxxp://michal-dolowacki.pl/editor_images/Order_form_KLS2301_07095501400000678.xlsx.pif