MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236
SHA3-384 hash:	be2d96ca8d301fe32cf75678f17c7f5d0d8a9810463a5d68fd9c9b97c12a5e582a0bd82484d2885ba00081a3cdca7509
SHA1 hash:	ea7ff2bbc854075a3e6a3febed71f4b3b154be17
MD5 hash:	73a71d2ca9c8f3612dd0ee8dbf9a2fd6
humanhash:	autumn-paris-mountain-black
File name:	PLS ORDER 20231106- C0X5TTA1J.scr
Download:	download sample
File size:	54'272 bytes
First seen:	2023-11-09 06:55:41 UTC
Last seen:	2023-11-09 08:17:42 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	1536:c6fuefdzXv1iJdq6ma/O0b9hk9vYEW5MB1vvzK:c6fum1irjHb9hFEWSB1XzK
TLSH	T13E334B0C338CAA22C67C2ABD8CF2164447BEA1F77D02E7079D84739569437E65616A8B
TrID	56.5% (.EXE) Win64 Executable (generic) (10523/12/4) 11.0% (.ICL) Windows Icons Library (generic) (2059/9) 10.9% (.EXE) OS/2 Executable (generic) (2029/13) 10.7% (.EXE) Generic Win/DOS Executable (2002/3) 10.7% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	64f4d4d4ecf4d4d4 (82 x SnakeKeylogger, 34 x AgentTesla, 24 x Formbook)
Reporter	abuse_ch
Tags:	exe scr

Intelligence

File Origin

# of uploads :

# of downloads :

268

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PLS ORDER 20231106- C0X5TTA1J.scr

Verdict:

Malicious activity

Analysis date:

2023-11-09 08:15:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/530122a4-3503-4fb2-a023-34f5831ba43d

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.RATX-gen.10042.25807.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade

Link:

https://www.filescan.io/uploads/654c828f886b1623ff3ca7fa/reports/cdb35efb-6b8f-4fb1-8c6d-c2904625b8d4/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d75fba27-4694-4746-848d-b75b41739abe

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1339488

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Initial sample is a PE file and has a suspicious name

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Score:

96%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236/

Threat name:

ByteCode-MSIL.Trojan.Seraph

Status:

Malicious

First seen:

2023-11-06 03:11:35 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=n7lllzfqvx5qbpkdnlijc225j73bpcvhryunelebw36ncwprsi3a._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/231109-hqcpcaga8z/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236

MD5 hash:

73a71d2ca9c8f3612dd0ee8dbf9a2fd6

SHA1 hash:

ea7ff2bbc854075a3e6a3febed71f4b3b154be17

Link:

https://www.unpac.me/results/35e9de4f-2544-4f94-83c9-c686b5061177/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/6fd6b5e4b0adfb00bd436ad0916b5d4ff6178aa78e28d22c81b6fcd159f19236

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample