MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8
SHA3-384 hash:	0a90733a945d9aec6a657c92730e250a82c8b1180018f666840fdb93e966a0415aa64a446a9a91f8012db57cbf80ff4c
SHA1 hash:	48321afd723848dd15a55003f4a48be62cb1fd6a
MD5 hash:	91e462491bc750e8f64c92a91afb88ce
humanhash:	princess-twelve-lamp-sweet
File name:	quotation5.exe
Download:	download sample
File size:	1'641'424 bytes
First seen:	2021-03-30 06:27:28 UTC
Last seen:	2021-03-30 08:01:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep	49152:yog9HikVuDvTJXH9IF4Sej3qGhkasyq4dKVFMz:FgHQTVVSm6qO7Sz
Threatray	974 similar samples on MalwareBazaar
TLSH	F67533AF1053256ED040AEB100569E35BBB7A81D87D6A9D337F00BAB1C025E5FB2F1C6
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: slot0.eerient.com
Sending IP: 203.159.80.109
From: pmc@pharmachine.com
Attachment: quotation5.zip (contains "quotation5.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

quotation5.exe

Verdict:

Malicious activity

Analysis date:

2021-03-30 06:28:21 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5d8f78bb-5e2e-4bc3-8ecf-e8087f43ea25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127906/

Detection(s):

SecuriteInfo.com.Trojan.Siggen6.55368.10879.8316.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Unauthorized injection to a recently created process

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5f02c66e-00b5-410e-9d87-3c7f1cb13ade

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/658023

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected Generic Dropper

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8/

Threat name:

Win32.Trojan.Spynoon

Status:

Malicious

First seen:

2021-03-29 22:55:36 UTC

AV detection:

8 of 45 (17.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mcnkdd4agozgmaa5q3hgsecpqhha2uqn7dqxdatxxxzepgwlchua._file

Verdict:

unknown

188538804ed1b796ad27deddc451c9912a0d4a1450412e87be2da6c84e5a8e69

54fada6c9bfdc946561633bf5e3788d1921b6635629c02b6ba9a91ad7c008b60

686eca2834dd77a34fa608e4cd4507c6ac57613a41a705ad848b81fe8dbfcec4

82621061b2fa95bfbad7d9c67b02fe68fcda03fd70ac628252fbade7a11e19d9

97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f

9d6bd6a6caed8cbef5c95ed13d01a1e6c72e9e62b513261c0fabf100ff82abb9

a115e321c5902daa72854362422ea2a6cafbc5c7fcadfad0b8d03944d14e32e8

ab703a3bc7d05c62bcc127febfd82a7903a47f45664b5195ada070eb748d5b25

b6177b19a010725f003f7828862f9217af33f3b38a517a40c94c7e8174a91c95

+ 964 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/210330-9jgheydgej/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078

MD5 hash:

eef9e469e8a30717974499f277d97e2a

SHA1 hash:

2d33c25984ebd9116beeb55cdde4c5c86c023e5d

Link:

https://www.unpac.me/results/e8a84685-0b17-4b12-8fb0-a446c0b88546/

SH256 hash:

609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8

MD5 hash:

91e462491bc750e8f64c92a91afb88ce

SHA1 hash:

48321afd723848dd15a55003f4a48be62cb1fd6a

Link:

https://www.unpac.me/results/e8a84685-0b17-4b12-8fb0-a446c0b88546/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.47

Link:

https://yomi.yoroi.company/submissions/609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 1120c91212c993d4efbb61d48f44ef3028be349ac4f53494f2a01b7f6de22bbf

exe 609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8

(this sample)

Dropped by

MD5 b4268b7d10e74fcd07a5dc96aa21e7c6

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/127906/

Dropped by

SHA256 1120c91212c993d4efbb61d48f44ef3028be349ac4f53494f2a01b7f6de22bbf

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample