MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023
SHA3-384 hash: 805c9cf6c09365e19b434d55489db5098963d1d69ec82fa7a2b150ae838adf3e48bd366fb8cd6d93a4ff757aaeafe3a6
SHA1 hash: 25589926b5c189b8bee1c942839993c966c2a48a
MD5 hash: ddba3b95498cd1cb484ac05fcc362309
humanhash: skylark-thirteen-stairway-mobile
File name:Invoice Confirmation.exe
Download: download sample
File size:544'768 bytes
First seen:2021-02-23 07:23:06 UTC
Last seen:2021-02-23 08:45:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ce95782f94d8c06a522ef2ce68f3fe9
ssdeep 12288:PJZJpZFS02p46A9jmP/uhu/yMS08CkntxYRo:PJZ7ZFiifmP/UDMS08Ckn3V
Threatray 5'047 similar samples on MalwareBazaar
TLSH E4C48D17EB10F10AE452C8B02965929B67397D321280AE03F7C16F5AA6726D7BCF570F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: orga-nl.com
Sending IP: 185.214.10.109
From: gregor.lex <gregor.lex@postcon.de>
Subject: Your Payment Has Been Approved
Attachment: Invoice Confirmation.zip (contains "Invoice Confirmation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118508/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.11011.25193.5347.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Launching a process
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/614958
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356488 Sample: Invoice Confirmation.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 84 20 Multi AV Scanner detection for dropped file 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected VB_Keylogger_Generic 2->24 26 5 other signatures 2->26 7 Invoice Confirmation.exe 1 15 2->7         started        10 lsnotfch.exe 2->10         started        process3 file4 18 C:\Users\user\AppData\...\lsnotfch.exe, PE32 7->18 dropped 12 cmd.exe 2 7->12         started        14 lsnotfch.exe 1 13 7->14         started        process5 process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023/
Threat name:
Win32.Trojan.Graftor
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 00:23:44 UTC
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=numttfu7c5r7uh3ja47nbh5dpvcd7u5gookyjp2zipfi4vewgarq._file
Verdict:
malicious
Similar samples:
13ecafca02eeec89fad5ee7ba883009904ec6bf4e4a1685c60536d3be93ccb48
273dbbe13038af4711afea42cdd3b676b7f52598d0e8c12307557e9d6eb46c96
43ca8605af17f08bd6e9dc30aa7ab1d206d501160040e5a8a085f46d2e01f2c9
54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000
7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04
7b60c03d5c2d88a8b7554ea4aba5e33061cae9b59af4d852f343625c02ef96e2
930328b4d0e869b7d6eec8b250366523258c33c121a8515d3a78fe8d6c8c9fc1
9854450087a87df2edad5dfd0bbd7db5bc12f569513f59178ba1e8a3afdbe1dd
c68eae2a2fb14e31a3099eee2c2f7d880653a7ed87ede88c638541854e01d3c2
cb23f5a566bfa91b51d3ecd344e3f6025023463532fa4d5edf5d0785814529d7
+ 5'037 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-cxf2nxdkr6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023
MD5 hash:
ddba3b95498cd1cb484ac05fcc362309
SHA1 hash:
25589926b5c189b8bee1c942839993c966c2a48a
Link:
https://www.unpac.me/results/ad82e50d-a6ad-4ca8-9b08-95f438938eb1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 6c54b16036d4bb6c8600a74e75316b8712725f2ef1a2bce660d7227a74bd68bb

Executable exe 6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023

(this sample)

  
Dropped by
MD5 b87c8c14a1a3a23ba4b6a36f644b7ed2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118508/
  
Dropped by
SHA256 6c54b16036d4bb6c8600a74e75316b8712725f2ef1a2bce660d7227a74bd68bb

Comments