MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630
SHA3-384 hash: 97b709aeed164132600b4baa1771024a7ec80c84523964dc2b066e814dc19c5375317f32c7be196ff82a1579373ae1c0
SHA1 hash: 5ced8ee28dc12a99029f8570708dfe80194a4d85
MD5 hash: 0426e992a97c8e58cb1ac5c205fe1a4a
humanhash: double-wisconsin-nineteen-kentucky
File name:Document N0-BR1702Q667420_12.com
Download: download sample
File size:62'944 bytes
First seen:2020-12-04 19:57:31 UTC
Last seen:2020-12-04 21:48:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 768:ayimlLT4C/lc8sJhIhw8nIhbfTo7JMsmnvDRpP8q4yTpgl59+pn9GQzaUf2hMd:acLl2hIjIhbfToONp0LyTpI+pQUfVd
Threatray 39 similar samples on MalwareBazaar
TLSH 7953ED7E623DAA32FB02EF3321F761B3BA85019627B76757916F1B45EC0204C5B47862
Reporter abuse_ch
Tags:com


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: delivery.mailspamprotection.com
Sending IP: 146.66.121.162
From: LEXADRIL <inquiry@lexadril.com>
Reply-To: inquiry@lexadril.com
Subject: New purchase Order Inquiry
Attachment: Document N0-BR1702Q667420_12.r11 (contains "Document N0-BR1702Q667420_12.com")

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106826/
Detection(s):
SecuriteInfo.com.Generic.mg.0426e992a97c8e58.1307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Setting a global event handler
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Blocking the Windows Defender launch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/556058
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Sigma detected: Powershell adding suspicious path to exclusion list
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327130 Sample: Document N0-BR1702Q667420_12.com Startdate: 04/12/2020 Architecture: WINDOWS Score: 92 60 pastebin.com 2->60 62 hastebin.com 2->62 72 Sigma detected: Powershell adding suspicious path to exclusion list 2->72 74 Executable has a suspicious name (potential lure to open the executable) 2->74 76 Initial sample is a PE file and has a suspicious name 2->76 78 3 other signatures 2->78 8 Document N0-BR1702Q667420_12.exe 24 6 2->8         started        13 Document N0-BR1702Q667420_12.exe 2->13         started        15 Document N0-BR1702Q667420_12.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 68 pastebin.com 104.23.98.190, 443, 49730 CLOUDFLARENETUS United States 8->68 70 hastebin.com 172.67.143.180, 443, 49724, 49740 CLOUDFLARENETUS United States 8->70 56 C:\Users\...\Document N0-BR1702Q667420_12.exe, PE32 8->56 dropped 58 Document N0-BR1702...exe:Zone.Identifier, ASCII 8->58 dropped 84 Creates an undocumented autostart registry key 8->84 86 Creates autostart registry keys with suspicious names 8->86 88 Creates multiple autostart registry keys 8->88 90 3 other signatures 8->90 19 Document N0-BR1702Q667420_12.exe 8->19         started        24 cmd.exe 1 8->24         started        26 powershell.exe 24 8->26         started        34 4 other processes 8->34 28 cmd.exe 13->28         started        30 cmd.exe 15->30         started        32 cmd.exe 17->32         started        file6 signatures7 process8 dnsIp9 64 193.239.147.53, 49732, 49733, 49741 DEDIPATH-LLCUS Brunei Darussalam 19->64 54 C:\Users\user\AppData\Local:04-12-2020, HTML 19->54 dropped 80 Creates files in alternative data streams (ADS) 19->80 82 Hides threads from debuggers 19->82 36 conhost.exe 24->36         started        38 timeout.exe 1 24->38         started        40 conhost.exe 26->40         started        42 conhost.exe 28->42         started        44 timeout.exe 28->44         started        52 2 other processes 30->52 66 192.168.2.1 unknown unknown 34->66 46 conhost.exe 34->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        file10 signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2020-12-04 19:58:10 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=of5zaluxfxc755frfob7owusflfqa6sup3dxfmqijmyhgyox6yya._file
Verdict:
unknown
Similar samples:
3a53fc0060de3daa43eda52ecb4348ede9d1d95ba89e81906c19da1afd9376b5
3e483d19170652c8c74d9a42ef17804b4739e6290f08e54c68f8311e390b0c1f
736cb846af9e2de5730d5b788603d49374fee0e309d2681392456aa41ec3eda1
b31fb3832c2f366796fcc9165c60c58da5c866973377ab0d43f71586c461b8fb
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
cd857ee1ccdff34a0cd65732a18bc3a99d53e388423dcff0a73ca0307dcb1f7a
de5c46975f4bd7759bf711ea3ecc5833c0eadac92b466806e3a2cdcb57b7da19
e1f08269363e55708c850e156f5f4cdc50acc14efdce1f3464a70c91548c7548
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
fb63a3112ca1b2cb9d57ab6bc9a2b90c9ec4c5f4995e77c44823440de7dea711
+ 29 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan upx
Link:
https://tria.ge/reports/201204-cf6alvyyza/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Windows security modification
UPX packed file
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630
MD5 hash:
0426e992a97c8e58cb1ac5c205fe1a4a
SHA1 hash:
5ced8ee28dc12a99029f8570708dfe80194a4d85
Link:
https://www.unpac.me/results/99ab7b46-d588-48a4-8d3f-1dd0735c9022/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar f4a0bc1c476693bd0d722464bf34bc62bc02514039e579174dce6d3c15e595c0

Executable exe 717b902e972dc5fef4b12b83f75a922acb007a547ec772b2084b307361d7f630

(this sample)

  
Dropped by
MD5 981302dc4aec9d4e87a8b7c0262fb13f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f4a0bc1c476693bd0d722464bf34bc62bc02514039e579174dce6d3c15e595c0
Cape
Cape
https://www.capesandbox.com/analysis/106826/

Comments