MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b
SHA3-384 hash: db51864ff6548190745c114f87153e23fa28db85d162961d45d9e342eb113ec68947e2b51e085ee7c329909024c24413
SHA1 hash: 3bce5c283ba540a860ac59850f03b57a85842692
MD5 hash: ae6418992b8632718a26ebc84b86edc9
humanhash: five-timing-violet-twenty
File name:documentos de pago.PDF.bat
Download: download sample
File size:639'488 bytes
First seen:2021-01-12 18:10:13 UTC
Last seen:2021-01-12 19:49:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:EOCPt2rk7aYn0ekJKxpWFyKZzdlc8tNlXLHlH:EOC1Gk7B0ZKxpubZzpFXLHlH
Threatray 6 similar samples on MalwareBazaar
TLSH 1FD40750ABA1A710D7BC27BE9421006127F1E767F3F8E76CED9160B65F52A2404FE782
Reporter abuse_ch
Tags:bat ESP geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smarthost1.gohsphere.com
Sending IP: 173.0.129.225
From: A&N Forwarding, INC. <facturacion@anforwarding.com>
Subject: Aviso de pago - Ref. Aviso[G1117599144] / Pago prioritario
Attachment: Documentos de pago.img (contains "documentos de pago.PDF.bat")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
documentos de pago.PDF.bat
Verdict:
Suspicious activity
Analysis date:
2021-01-12 18:53:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e189b366-6397-48a9-80fb-965f323e3a66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111594/
Detection(s):
SecuriteInfo.com.Generic.mg.ae6418992b863271.25981.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/579352
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 18:11:09 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mcvciqpfmdxye27rxmk56ojva7fe5brh3wjp66sa735t27dr5v5q._file
Verdict:
unknown
Similar samples:
021e34e6c2220dd75d543909346f6f19f4ef6c356f530cd7bb64288393bbc7a8
3cdb85efd62add89d7945f62faf3c578d7fa6b5ec68573b1d774265afd46a8ad
d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf
dd364f123e241e6edd773382a05180e538e93eb6d471856f2217422e47526e51
e09a6d651f6bbb29c9de2321977d94d7eadf264ca3eb6bd0b7a6876cd6e4866a
e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210112-dwca2czwqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b
MD5 hash:
ae6418992b8632718a26ebc84b86edc9
SHA1 hash:
3bce5c283ba540a860ac59850f03b57a85842692
Link:
https://www.unpac.me/results/5cd32a0b-837b-40da-aec6-83bd5e5e90a2/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/5cd32a0b-837b-40da-aec6-83bd5e5e90a2/
SH256 hash:
452bf551a3388719d630e0bc86b9214966edb23211c4016a3b3fe39fd5d44a73
MD5 hash:
cc0ec566dace90117cf77e8dab755ca4
SHA1 hash:
9756ba50b8f9f7a4359cf1a968275cd8d0e02082
Link:
https://www.unpac.me/results/5cd32a0b-837b-40da-aec6-83bd5e5e90a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 3222c6ff95c5844cfb45cdc87c411ecb757e8f7897728ec98168d9f64d455ae5

Executable exe 60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b

(this sample)

  
Dropped by
MD5 9a06ea4e6fb5b933f70069bcaa71f03b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111594/
  
Dropped by
SHA256 3222c6ff95c5844cfb45cdc87c411ecb757e8f7897728ec98168d9f64d455ae5

Comments