MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac
SHA3-384 hash:	b562d40929001958d671e556f76676393a77a537b21c41a6d99a180832c5b18c74537acf9c6a1cd0b198bcdbc00030de
SHA1 hash:	305bdadcbc10866d6eea9abc9823b912987e7da3
MD5 hash:	4c834d1fa92b988052df979d459b3764
humanhash:	football-nebraska-queen-princess
File name:	SHIPPING DOCS.exe
Download:	download sample
File size:	3'972'608 bytes
First seen:	2023-02-06 12:54:57 UTC
Last seen:	2023-02-06 14:48:31 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	98304:7jYqyDK34cHMiNf4VeVz42hKZsqt+Mh+JbZrHnyQ9bT:fYt84cHRN6YLsKm2bnyQ9
Threatray	922 similar samples on MalwareBazaar
TLSH	T15C063311A25AA110DAFE43B46BFE9565077C0604F533FA0CDBE931ABE6F9F6492B0701
TrID	63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.2% (.SCR) Windows screen saver (13097/50/3) 9.0% (.EXE) Win64 Executable (generic) (10523/12/4) 5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	8200828086860000 (9 x AgentTesla, 5 x SnakeKeylogger, 4 x Formbook)
Reporter	0xToxin
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SHIPPING DOCS.exe

Verdict:

No threats detected

Analysis date:

2023-02-06 12:59:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/82590a5e-89de-412a-8e63-ad0ff91cfe01

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360852/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1820.4995.21907.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Сreating synchronization primitives

Searching for synchronization primitives

Changing a file

Blocking the User Account Control

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/63e0f8a8905a5ac3b9098ca2/reports/9be3136e-0a17-40ad-b5ce-e9ed4a8d2ac1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Operation Manul

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8b8960e0-a472-4443-8406-3898bec710c5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/1166643

Signature

.NET source code contains potential unpacker

Disables UAC (registry)

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-02-06 12:55:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 26 (61.54%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=l3zooc2hyjw6g66nh2ag5j6hsgdwwhv5uqdqixr2qhz33dvhyowa._file

Verdict:

malicious

4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee

56055b9e7bc2e6577527cb86ca9e8598fa7caf9a909bbdb3e69b27a2236c9da9

9af4529917fe99ddec31841af17f0391908bc9b68d387f8ae3a9899cdbcb2315

9febe27e9673128ba73792c5fdb79e3cb88cc3b40781ec658d638e40eac055ea

a96e81ab89b3f962fb6281960569afc001c76f1a1af0866eb615db5b1824f9ef

ae628fd84f2ba783d82aa6e8804e7c41341671758e04ebc236f76ef7c7bee129

d6b229f25b3f185395e58f98c048cad58d929c7a25e6b95319d27da5f5292588

f6c28a76b12ddb94037c6cac0426ba87fb3201634731b901f66aecc15d5a98be

+ 912 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

evasion trojan

Link:

https://tria.ge/reports/230206-p5r6xadh75/

Behaviour

Suspicious use of WriteProcessMemory

System policy modification

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks whether UAC is enabled

UAC bypass

Unpacked files

SH256 hash:

6384dabeffdc0afc3d7f1e18d0033e7482790c0aa2f1f2af7cc39eb81795d0ef

MD5 hash:

f759d70f3bbee3865d9ba45b70c59bea

SHA1 hash:

f07ca29866cf8b0d92f18904860c40a284a5f550

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

SH256 hash:

820cb0acbce521277e463b8d7c7ed2b22813552791d7390eefaf5a380dddf3c6

MD5 hash:

c31eb7b27db06c5463b2e692862916ef

SHA1 hash:

a1618de64152ba415709fb69ae80d84960e39cb6

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

SH256 hash:

c4b7477982209ab8d77bde559e725548b100d0f9eb688bf4eb4c5638e210775f

MD5 hash:

a5fb432289be34eaa09a844cd1953a26

SHA1 hash:

a07bc74422dd923829116996feb088cdd41224f0

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

SH256 hash:

d06df7395d561e198f9b7c5481567116ff2e4c2e84437c018d2a2c8ea6c4ca37

MD5 hash:

0fb6061f7d37424fb9e6d0e76b019c19

SHA1 hash:

98a64bf7b459f032d6ec5793003bf61b5ae1dd74

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

Parent samples :

495607b1aef01bf7dfb64b5cb16a8fc0f161c2923627d71c69de97328f8eca3f
2434aa78b46a3afc98fa6e888c3eb56278ba52b0ff800e7e875af9c2e7f9011a

SH256 hash:

129e89df1e56172162090dc3c41619882db8b65ade7a6cd064792db147f2395a

MD5 hash:

1b9db13d42ea7a0e1f74246ed71f9c7f

SHA1 hash:

06f8d5bad67ada12aafdf6fefb89734fed1d9ca0

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

SH256 hash:

77d2e8adaf2e8ab44e71329d3bd30f039e08c442fc085435417b731dd6ec9ab7

MD5 hash:

41f9dfcdd96d769fd6d084de99cfd887

SHA1 hash:

593b7e3f6247112977d2044942be392d4ac32373

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

SH256 hash:

5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac

MD5 hash:

4c834d1fa92b988052df979d459b3764

SHA1 hash:

305bdadcbc10866d6eea9abc9823b912987e7da3

Link:

https://www.unpac.me/results/e0bf5386-7f42-4560-849e-d592cab56150/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/5ef2e70b47c2/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5ef2e70b47c26de37bcd3e806ea7c791876b1ebda407045e3a81f3bd8ea7c3ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360852/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample