MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04
SHA3-384 hash: f2eaacb2e6256d10fdb21aec6b61d9f09c8d2aa476fd0fae101ac4a28ab21ad19621fdd5e571d02ba823abc89e9ae1ff
SHA1 hash: f775e9e5bf96701f6e0f13962d0bdd7c22385560
MD5 hash: 10e7d5b08f8741c70689c8a79852f6e4
humanhash: kilo-colorado-lamp-twenty
File name:Payment Receipt.exe
Download: download sample
File size:544'768 bytes
First seen:2021-02-23 07:18:50 UTC
Last seen:2021-02-23 08:46:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ce95782f94d8c06a522ef2ce68f3fe9
ssdeep 12288:CJZJpZFS02i46A9jmP/uhu/yMS08CkntxYRo:CJZ7ZFiNfmP/UDMS08Ckn3R
Threatray 5'079 similar samples on MalwareBazaar
TLSH A2C48D17EB10F10AE452C8B02965929B67397D321280AE03F7C16F5AA6726D7BCF570F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail2.vtigress.com
Sending IP: 183.82.99.119
From: Basudeb Pan <test@vtigress.com>
Subject: Payment Acknowledgement Is Attached
Attachment: Payment Receipt.zip (contains "Payment Receipt.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118486/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop16.11011.1267.2231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Sending a UDP request
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/615056
Signature
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected VB_Keylogger_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356537 Sample: Payment Receipt.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 84 20 Multi AV Scanner detection for dropped file 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected VB_Keylogger_Generic 2->24 26 5 other signatures 2->26 7 Payment Receipt.exe 1 14 2->7         started        10 gnlbivch.exe 2->10         started        process3 file4 18 C:\Users\user\AppData\...\gnlbivch.exe, PE32 7->18 dropped 12 cmd.exe 1 7->12         started        14 gnlbivch.exe 1 13 7->14         started        process5 process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04/
Threat name:
Win32.Trojan.Johnnie
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 04:42:45 UTC
AV detection:
25 of 47 (53.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ov3orikzlwelptnqboyamsginjqkfyxx4jceeri4kkcvh5dh5qca._file
Verdict:
malicious
Similar samples:
54f76bffd468bfb38aaf0adb0fadbfc9fa3a947b420d002c2206e57c805e6000
688e87c580badf94b1e0ce02b5b6bd709d6e779abdf22e193209fc7f45946e30
6d1939969f1763fa1f69073ed09fa37d443fd3a6739584bf5943ca8e54963023
7a683de7c9bf17f6f06a9c8b5b718f9a17624a9022b7dea662816142c2c245bd
8a02cd4cb429e9dd4b6c495995462db775566519c1d1cc3e27795763eb00f457
930328b4d0e869b7d6eec8b250366523258c33c121a8515d3a78fe8d6c8c9fc1
9d344a9f72ff5ca8a726f7966a6ef89723d7716e23ee3d6aaa8eef8f9299a7f9
b10f38f6a63515c0057b541723f7de935b6b8ee58cb3baca1f5cce7a20813da2
c68eae2a2fb14e31a3099eee2c2f7d880653a7ed87ede88c638541854e01d3c2
cb23f5a566bfa91b51d3ecd344e3f6025023463532fa4d5edf5d0785814529d7
+ 5'069 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210223-w8zvavkdsj/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04
MD5 hash:
10e7d5b08f8741c70689c8a79852f6e4
SHA1 hash:
f775e9e5bf96701f6e0f13962d0bdd7c22385560
Link:
https://www.unpac.me/results/8f1ae1ce-5953-41df-95d7-c166571ce677/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 68bb98df259614529f5a4477e6522c2c50562dbd09268ec94b2abff1a8aa30f5

Executable exe 7576e8a1595d88b7cdb00bb00648c86a60a2e2f7e24442451c528553f467ec04

(this sample)

  
Dropped by
MD5 db19390740d15be6f2d74fcfec6a99d5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118486/
  
Dropped by
SHA256 68bb98df259614529f5a4477e6522c2c50562dbd09268ec94b2abff1a8aa30f5

Comments