MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f
SHA3-384 hash:	21bd73ab94cad2ba741a07691dae13f3e29c11f0047f11b75d767900c2a2dcb921a3fc7c93efc25261ce3921b363141d
SHA1 hash:	8224b5c66169e56f4d11d256105d2553e14d7aa8
MD5 hash:	9809e7b484681c1cac1541d4c69a688f
humanhash:	kitten-charlie-ink-march
File name:	Purchase Order 30003232.exe
Download:	download sample
File size:	873'984 bytes
First seen:	2020-12-08 07:49:46 UTC
Last seen:	2020-12-08 09:31:18 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:+wPnmfBE+/5Bsj8H6v+R/4lVajUXv61GXSBEAlAZImBI+na+LZSg64iNcIUx:++Mh5a8H6v+R/4a3HXx8Eg4g5
Threatray	11 similar samples on MalwareBazaar
TLSH	DF05BF349FA9163AF57BAB3C89A02146A7AE77D37703CD6C59B502C90723A02DDC163D
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: vikumer.com
Sending IP: 185.222.57.176
From: info@vikumer.com
Subject: Purchase Order 30003232
Attachment: Purchase Order 30003232.gz (contains "Purchase Order 30003232.exe")

Intelligence

File Origin

# of uploads :

2

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/107182/

Detection(s):

SecuriteInfo.com.BehavesLike.Win32.Generic.cc.4685.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching the default Windows debugger (dwwin.exe)

Result

Gathering data

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/557675

Signature

.NET source code contains very large strings

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-08 04:08:38 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n6srsnezwnunnwabtyoqsen73cln4dtzeuhwwg7z6ny4p4qt6exq._file

Verdict:

unknown

Similar samples:

1989b7078501dfe26669ba2af737ed8dba616acb527193e3c64eaf3a1942c5b8

2747b81e4380b16d6283a0f236ecb4b51c9296c559ded7f71d45a0c30cd35d03

4cf9aa6df9472ddba54a9104d6d559229da3796b96a8dcd2a9ed52873f7359e5

58322659acfc21d063a2acb0d64ea2846d21ab2e256b0ae4f83646ff03bf2387

5df2f562749ce15ad7236e5ddf98ca6d8345c6edb40d7d9b7363b3dac26c4a83

c8bc2bde7ab29368fc3ac5e32367bf63156514940465721908846bcc353eec27

d805b37ff430c59fbac19f5ccbbaa2eec750849def87f05c7bf14e68f8531416

dcb39be80203e5de62b87f99b5fe21eb25556d58c9d654156850995e86f1f4ba

de10e041ff3250edccbe8a5edee50e9812620a3fff80de82545f018ad24cca0b

ff21de6f802e53369430d704c5372b8598c4ffdb7a693664ef22422c04b84c5f

+ 1 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/201208-wapc2116yj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f

MD5 hash:

9809e7b484681c1cac1541d4c69a688f

SHA1 hash:

8224b5c66169e56f4d11d256105d2553e14d7aa8

Link:

https://www.unpac.me/results/3e6fb734-b1a4-4357-b4c2-73947973467f/

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/3e6fb734-b1a4-4357-b4c2-73947973467f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz 0a6d0c695f4ec3f75b9959ec39add143fcecc2fa8fb0bb3140a5d5260e01fced

exe 6fa5193499b368d6d8019e1d0911bfd896de0e79250f6b1bf9f371c7f213f12f

(this sample)

Dropped by

MD5 653de523948f4a5385886e8f924939c9

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/107182/

Dropped by

SHA256 0a6d0c695f4ec3f75b9959ec39add143fcecc2fa8fb0bb3140a5d5260e01fced

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample