MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
SHA3-384 hash: 3a709b22f934feb2d13a7a38c755651dff64e3b1addf96169d95fa4752418b21115bc5df0d657fedcda74cae73714435
SHA1 hash: aa49ffa7db0c118b644b62d75a0cc27b62a680aa
MD5 hash: 85f51ff6bd810b0122a2c38eef70fa06
humanhash: twenty-rugby-island-pasta
File name:PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Download: download sample
File size:499'712 bytes
First seen:2021-04-26 05:37:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7b8bcfd7b99728418ba315f20c4f6aa1
ssdeep 12288:wok1HLr95tRSijB46A9jmP/uhu/yMS08CkntxYRA:Bk1HLZ5tR56fmP/UDMS08Ckn3B
Threatray 5'507 similar samples on MalwareBazaar
TLSH FEB48D17E600F10FE993C4B12D29969E28292E360680AA17F7C56F5E31726D3B8F571F
Reporter abuse_ch
Tags:scr

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PRODUCT SAMPLE & ORDER SHEET.PDF.scr
Verdict:
Malicious activity
Analysis date:
2021-04-26 05:40:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/45f1ad09-e4f7-47fb-8a0d-f7d4996ac7a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144171/
Detection(s):
Win.Keylogger.Jaik-9853735-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Launching a process
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/697500
Signature
Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected VBKeyloggerGeneric
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-04-26 05:38:11 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=npddlzvmbg4ibi4j3xzxz2voqhftr7mbwolgzilfnns4puhu3d6q._file
Verdict:
malicious
Similar samples:
1e3332a35254c8468daabc9acc98696253c6c7ff6f34b3e23a347194b72e5096
1e8b04f61e8d6fc7b1bd0498cb69d0063ddb35817228b35297ec0e4174b144e6
46eaf748d89e5d575bd73f334ece5a27be507566bf23adabd949a79daebbcf04
4f757df2792c664abda17fd4f9bf9c0c1a02ac456d3189073626cfcfc3ca8d20
54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000
5c4943289a1959b03d31592b147472be4d31a2637316b7bbe102412082619502
6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023
7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04
cb23f5a566bfa91b51d3ecd344e3f6025023463532fa4d5edf5d0785814529d7
e70629dcf62d93f64e5e57e1e03d2d662822926bd73aed78fea3cceb9a16b4a2
+ 5'497 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210426-kz1aw3evej/
Behaviour
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd
MD5 hash:
85f51ff6bd810b0122a2c38eef70fa06
SHA1 hash:
aa49ffa7db0c118b644b62d75a0cc27b62a680aa
Link:
https://www.unpac.me/results/586fd89c-58ac-4cc4-97c2-7c55df7ed8bd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Vcrypt
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 6bc635e6ac09b880a389ddf37ceaae81cb38fd81b3966ca1656b65c7d0f4d8fd

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/144171/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-26 06:06:46 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
2) [C0019] Data Micro-objective::Check String