MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5
SHA3-384 hash: 081377ddda8b403f8c8692f13f89dfadc1262b96f72d21b7ea050abdc1a8ac8a906dd2745828a90d269eb9025f1b6dc4
SHA1 hash: 6e4f334261d03bc3b4ba1d9d1b4d9cf8c02ad892
MD5 hash: bc778621f6bafcea09140e15f9e80ab6
humanhash: wyoming-nuts-wolfram-whiskey
File name:ProformaXInvoice.pif
Download: download sample
File size:1'661'952 bytes
First seen:2023-08-10 06:31:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 49152:6TUAJdngF5N8tvx++6EiNaI0y5vHsBgZlfyQ41:uUUdWCtp+vjNaWtogZlKQ
Threatray 793 similar samples on MalwareBazaar
TLSH T162752217F6C789F3C24C97B6C69B811007B1D1D4B633C20A799F23D607137AA9A5AE4B
TrID 40.9% (.EXE) Win64 Executable (generic) (10523/12/4)
19.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
8.0% (.ICL) Windows Icons Library (generic) (2059/9)
7.8% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ProformaXInvoice.pif
Verdict:
Malicious activity
Analysis date:
2023-08-10 06:43:46 UTC
Tags:
zgrat backdoor stealer
Link:
https://app.any.run/tasks/84671876-4347-48ba-9e9d-438e1eaa0100

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441902/
Detection(s):
Sanesecurity.Malware.24184.7zHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Creating a file in the %AppData% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade packed
Link:
https://www.filescan.io/uploads/64d48464a5c3e653be16650f/reports/2c0b5190-167a-4ede-8380-e539843aaaec/overview
Verdict:
Malicious
Labled as:
Ser.MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/39344281-a06d-4c3e-9439-8b3975289d1c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1289217
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-08-09 21:11:33 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
18 of 37 (48.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=maanzu6iiycr4jmkr5pgx4edy27h2cqxspoib2heecy4ldf4u3kq._file
Verdict:
malicious
Similar samples:
06a9ec554700c23590c89a5281d875fb042e1f8f1ce0ba8615883a4529cbe84f
29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
389a7b386cf1cb266462813f116b66c1e01fea86116a9c9c9630c890418fb2f1
39effc8ad793805f7a5558b804d72b01de87db3a89657c91d5508612c15d3761
4e1e9baa83e4e1f612490a1348ba9d6aa431563ad96320705d3ea886a8ede4e9
53e891f9b9098e2f7f29c3129ff55d16faa213ac9d07efbb5443d0d42809adf2
5732c82b705016d7bf79058f82f45b01d18d2986fbc8454deeb2894da020a519
78814ac115992f6ae9da08c10991fcc5a824c43caf7a75881427feac3bb4cd62
851f06a5ea70130dc3f9427d37c7ad8922a1a3a853ae5711784a272b014c95d5
b6a1f7a46ead00ddc8691bc83782d299934ef81a8dd9517d09aadd4296120ef3
+ 783 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230810-hal8vacd31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5
MD5 hash:
bc778621f6bafcea09140e15f9e80ab6
SHA1 hash:
6e4f334261d03bc3b4ba1d9d1b4d9cf8c02ad892
Link:
https://www.unpac.me/results/058d6219-2dee-40a5-8ea7-4611e19a8003/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 6000dcd3c846051e258a8f5e6bf083c6be7d0a1793dc80e8e420b1c58cbca6d5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/441902/

Comments