MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b
SHA3-384 hash:	001475046952a211e9546a973e8b30a677f8ed7d4042199c96761871bc5193f3b6cbd9d8174108ce5e0c32549e62dd4c
SHA1 hash:	e685b907c4f359e5c9b7323c6422c0eadcd796a3
MD5 hash:	82d18e9a2179dbe19d0f8fe60b5018a4
humanhash:	river-leopard-missouri-eleven
File name:	order confirmation reference no. FXEPS6S081020.exe
Download:	download sample
File size:	1'558'016 bytes
First seen:	2020-10-14 15:55:30 UTC
Last seen:	2020-10-14 17:01:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7cbc72aa700dca881a2ec4863ea68f4e (4 x AveMariaRAT)
ssdeep	24576:kymN1w8EoWhuadnIscVOl98Xa4PSIdDjSCUHKn8oSCPMBf0N/n18NAm3aELc10+3:oN1w8NGIsA68/BZmErPV/CNATL
Threatray	1 similar samples on MalwareBazaar
TLSH	9D75332172F58294D5F31A7505B5B9698D7BFE52EA32C3043224A00A9EBEF215FC077B
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: alhijazgroup.net
Sending IP: 80.85.158.19
From: sales <sabu@alhijazgroup.net>
Subject: order confirmation reference no. FX/EPS6/S08/10/20
Attachment: order confirmation reference no. FXEPS6S081020.cab (contains "order confirmation reference no. FXEPS6S081020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/70926/

Detection(s):

SecuriteInfo.com.Troj.Agent-BFUF.32498.19549.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/491396

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file has nameless sections

Potential time zone aware malware

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b/

Threat name:

Win32.Packed.EnigmaProtector

Status:

Malicious

First seen:

2020-10-14 00:03:27 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m23oiulzkhocrd7jpoba3nbap2n2zga2mha7c2qknj5hacj2d55q._file

Verdict:

suspicious

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201014-f7rdq2qck6/

Behaviour

Suspicious use of SetWindowsHookEx

Unpacked files

SH256 hash:

66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b

MD5 hash:

82d18e9a2179dbe19d0f8fe60b5018a4

SHA1 hash:

e685b907c4f359e5c9b7323c6422c0eadcd796a3

Link:

https://www.unpac.me/results/8a2981a9-6a52-4093-9c3c-57f422dd7d02/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/66b6e4517951dc288fe97b820db4207e9bac981a61c1f16a0a6a7a70093a1f7b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834