MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52
SHA3-384 hash: 6a1efff0fe6b0723b5a0953671f414d37e6d9b037fce8683d35196dd167cd411f22f13cbc175cc89a489a0de8c5f523a
SHA1 hash: 1cf402dc276a2602257b5fb8b51afef53a87f32e
MD5 hash: bd482c29a97ced387c278d3c445a3b57
humanhash: alpha-idaho-wyoming-ceiling
File name:Alfa Laval Aalborg AS Statement of Account_xlxs.exe
Download: download sample
File size:750'592 bytes
First seen:2022-11-29 07:35:36 UTC
Last seen:2022-11-29 09:37:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:84hqU+PDccQGCWWAWW6guAcmtVNTF/sNDdzoa1cfN:BuDYGnsg5V5F+DdEPf
Threatray 5'395 similar samples on MalwareBazaar
TLSH T153F4CF9033A6AF71F12967F37521804827B63C6E94F5D6296ECDB0DE2672B4049F0B27
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 080100040c4a0108 (2 x Formbook, 1 x RemcosRAT, 1 x NanoCore)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Alfa Laval Aalborg AS Statement of Account_xlxs.exe
Verdict:
Malicious activity
Analysis date:
2022-11-29 07:40:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cf16a709-f5d1-4697-953d-a0dd837534b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/339675/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.7846.5863.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6385b66424da1c12cfe2031e/reports/dcf52a97-c2c6-4ee9-9818-3ddcde2100e0/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5bb0550-6fa2-4c82-bb27-d874973b65a3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1123128
Signature
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-11-29 06:56:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
19 of 25 (76.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nkavw5gm23cr6oz6gy2ntnepqq37gbfotvamhcqefkdiwx5avjja._file
Verdict:
malicious
Similar samples:
08147a0de0bb290829a48536b659527ee1a3c6017df1d1d911f79fd76c0ff859
13221e70924c7c7eed105646282d0ace162ad1abc1e613219046fe131feb7818
208591b78135b397fcf22a58338bea5c086935362fb5e255e40ecb1a78245209
35aeecd77643fc7df90432db30ef248cfba29a9cc98a2c164b3bb4d233974734
79824a68ef3795850a225075666622469f026c0f5e983af0e5d01c681270f85a
bf7e149d1f9261676dcfd400ee235372b01f64302efc5be2eb053308e1203d73
f0aadf2a2f9a5dfab9ca866cbb2162e8ff55f47991e28895e34ca255559f681a
+ 5'385 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221129-jfabxacd6z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
3624268b1bf67fd3f560f345e5171f3a2f8968a776c23816ea76fc0ef41b0f03
MD5 hash:
1619753b625e58c25b73fbf1f0bff482
SHA1 hash:
c0d7922bdbc10ef0ee1606a40c2dedd22cb180d4
Link:
https://www.unpac.me/results/5df18b79-7b13-4059-b201-c37b982ccff6/
SH256 hash:
8dd25cb03e414874fb3d7849b6f98335916b435f692c452f2a0f94cb4372f212
MD5 hash:
08dcb86efde1bb44b92d9044884aa9e6
SHA1 hash:
381a67e2729c61413e7ef447d36f61a467ef1c51
Link:
https://www.unpac.me/results/5df18b79-7b13-4059-b201-c37b982ccff6/
SH256 hash:
340ba2312d5cdfc3d89f3f35f627187dcb406e5afea134bc76b04f52f4285df3
MD5 hash:
85f9290aa8900e9fd74b01ee23125706
SHA1 hash:
310eb5e4aea5471b74a6385f1da283b9d8e3d698
Link:
https://www.unpac.me/results/5df18b79-7b13-4059-b201-c37b982ccff6/
SH256 hash:
f969e2f871d19846c08997e1dda72b89698aee75b470ce0c02474d306772db4a
MD5 hash:
fb5a517fcc240ac86325512a1bb84ce1
SHA1 hash:
04eac4240e45304ff8450696bb43bd1514afceca
Link:
https://www.unpac.me/results/5df18b79-7b13-4059-b201-c37b982ccff6/
SH256 hash:
6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52
MD5 hash:
bd482c29a97ced387c278d3c445a3b57
SHA1 hash:
1cf402dc276a2602257b5fb8b51afef53a87f32e
Link:
https://www.unpac.me/results/5df18b79-7b13-4059-b201-c37b982ccff6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 6a815b74ccd6c51f3b3e3634d9b48f8437f304ae9d40c38a042a868b5fa0aa52

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/339675/

Comments