MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
SHA3-384 hash: 8411f98c8e40b42c551845526a076db772a98b544cab1926bca71e72e21cf95ba9e93dbf18ccc31ed3b0e2880e337794
SHA1 hash: 3ce9137efc80c5e169cb9b0a200339fae09c1202
MD5 hash: 389ca41e54649946a7b8b1c15d0da2df
humanhash: march-one-oregon-green
File name:Scan34295420.scr
Download: download sample
File size:896'000 bytes
First seen:2021-01-13 20:10:11 UTC
Last seen:2021-01-13 21:59:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:PUpoZgRa4fL8YPFhkENO4jfCbN89CzZWcprk2N+tKypNGetg2e/09H:P2oZgVfL8CzDNj6uIWSA7pm2
Threatray 42 similar samples on MalwareBazaar
TLSH 0015C582F395CE80F66431BB979EA62A1342FCCF0B03CA95631A7E751D7B1C12D8D658
Reporter abuse_ch
Tags:MailChannels scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: bumble.maple.relay.mailchannels.net
Sending IP: 23.83.214.25
From: Accounts <Accounts001@psg.com>
Reply-To: Account <psg@safrica.com>
Subject: Pay001 January
Attachment: Scan34295420.img (contains "Scan34295420.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Scan34295420.scr
Verdict:
Malicious activity
Analysis date:
2021-01-14 05:10:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ebd95478-1cec-49a7-affd-514e0c03533f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111842/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.505.1657.31896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Launching a process
Creating a file
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% directory
Creating a process from a recently created file
Modifying an executable file
Moving a file to the %temp% directory
Moving of the original file
Unauthorized injection to a recently created process
Enabling autorun
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/580689
Signature
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339383 Sample: Scan34295420.scr Startdate: 13/01/2021 Architecture: WINDOWS Score: 76 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AntiVM_3 2->36 7 Scan34295420.exe 2 2->7         started        process3 file4 24 C:\Users\user\...\Scan34295420.exe.log, ASCII 7->24 dropped 38 Moves itself to temp directory 7->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->40 11 windows.exe 5 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\windows.exe, PE32 11->26 dropped 28 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->28 dropped 42 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->42 17 windows.exe 11->17         started        20 reg.exe 1 1 15->20         started        22 conhost.exe 15->22         started        signatures8 process9 signatures10 30 Multi AV Scanner detection for dropped file 17->30 32 Creates an undocumented autostart registry key 20->32
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-01-13 20:11:10 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ovtuxisvrvx463jzslyjxwd2vmuc5ifs3g6qdvxacsninfig4pha._file
Verdict:
unknown
Similar samples:
2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
3d39fc826f6ed0115155842080406ffc82f930c5daae8ef710d3c30009fd0106
3ec27e7b95a43db7d79fa8a011c09bd9bcb0ef97f5f114b0de2b471e4805fc9d
7c8f873fc34661a785875f76a1f3b1aff6719e69d2a4ea5d2d94f849282b623a
7eb2de2bfd05ee1e83980aa914486789d2e8f3fb3cc6e166f140302fdaf40cd9
91a31ae7de6c7cfa8123333cec0fb4ac9317b12e8b1ede01de97936c8ab82ed7
adedffa71c26b2855f85a6eba9f0415769efc743022f44a8f61c95b09b7dedf3
b1251d0a542cd96f6957904d30289cbf675035ae79ac4158fc098aa84cd22506
c75e2b1752bd8221bd68fea21243915af2a92834a23d148a46e41b370badfd18
d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210113-8sjwdndyee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce
MD5 hash:
389ca41e54649946a7b8b1c15d0da2df
SHA1 hash:
3ce9137efc80c5e169cb9b0a200339fae09c1202
Link:
https://www.unpac.me/results/e1260321-5df9-4bd0-9b8e-c906afd4aa60/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/e1260321-5df9-4bd0-9b8e-c906afd4aa60/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/e1260321-5df9-4bd0-9b8e-c906afd4aa60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 867130e1d4af126ebee45e5b52bb4679233a3aa1678d1411b34373b9bccabeec

Executable exe 75674ba2558d6fcf6d3992f09bd87aab282ea0b2d9bd01d6e0149a869506e3ce

(this sample)

  
Dropped by
MD5 0cbd41379cf4ff250190ffbcf68b8367
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/111842/
  
Dropped by
SHA256 867130e1d4af126ebee45e5b52bb4679233a3aa1678d1411b34373b9bccabeec

Comments