MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
SHA3-384 hash: 54c964f3d52de83a1c94a651b301171f806b276f1dcce34af99885fcddcf7c621b172692ae8dc0a241c9b75ffa07f34f
SHA1 hash: 0b47af03cbab3ce8aa263fac9a9f29a2b5f84375
MD5 hash: 029895d0f40fbd864c207af0db764d5e
humanhash: pip-stairway-triple-ack
File name:order inquiry.exe
Download: download sample
File size:1'655'808 bytes
First seen:2021-04-06 06:29:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:h+3BEEMUSTB1SzzDyEF/B5/sW092Rh7IDX:h+mcIBsHykElW+
Threatray 224 similar samples on MalwareBazaar
TLSH BB75F12D27989BB1E6F9CB7C4420004053F1A60FE355D65A7DF2DDCD3A7BB818A6E602
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mailsnd1.chol.com
Sending IP: 203.252.1.122
From: 장선옥 <jeongwon1@chol.com>
Subject: QUOTE USD PRICED FOR ATTACHED
Attachment: order inquiry.zip (contains "order inquiry.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order inquiry.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 06:32:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b76f0cae-a282-49bd-aa73-99e25c622ce4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132575/
Detection(s):
SecuriteInfo.com.Artemis029895D0F40F.27626.21673.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/667168
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 06:30:08 UTC
AV detection:
12 of 48 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l32pdvmusjseg4xe32ivqz4yvw3yqqzjq6ciomdjjpunwd4wqaea._file
Verdict:
unknown
Similar samples:
0c958322a92b7ba746b44613adccedc2b0a246095f15a71f50fc8f5423909350
62e2d0479075cb28a37635972b9d3ad111e77b86b70de000409e11fe3f1d025a
63e969ed05409bdcf1992ef0ad0fb143d76e808379a2070a372f77b490c83770
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e
b24cb4cd3db305d5451cb3c0d0e60fe578b1fd38aca4be6032fb0ce2f0b786b4
c6b1bd6ce756a09bc3ce5b1b322abb8cc9700a640cc37cb8c32ebfc1eb433184
f49e7d90e44091331a7858ff19947ab40d062a2e32bbff120b863c67118e0d83
+ 214 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210406-933z1rtvvx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/5408e890-2b8b-470d-b91f-413d0c98bec3/
SH256 hash:
5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008
MD5 hash:
029895d0f40fbd864c207af0db764d5e
SHA1 hash:
0b47af03cbab3ce8aa263fac9a9f29a2b5f84375
Link:
https://www.unpac.me/results/5408e890-2b8b-470d-b91f-413d0c98bec3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 011431e7f7e83d6299635fbc99f76c8f80890985308fbf2ca738bdeed8ef21fd

Executable exe 5ef4f1d59492644372e4de91586798adb788432987848730694be8db0f968008

(this sample)

  
Dropped by
MD5 8a3ac3587c2996b20e5cf3f086433574
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132575/
  
Dropped by
SHA256 011431e7f7e83d6299635fbc99f76c8f80890985308fbf2ca738bdeed8ef21fd

Comments