MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7609034e7473869b3a5767f9543b6067998f4db68e3ba26966c115535337337f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 5 File information Yara 3 Comments

SHA256 hash: 7609034e7473869b3a5767f9543b6067998f4db68e3ba26966c115535337337f
SHA3-384 hash: b4abd20048663b70ffd30e58c0efbf0636a63b43c4d015fb5994717f217a1c627ed5d22a07c33c9b3bfb939041936215
SHA1 hash: a30a260cb9c9d3193dc71d580d09656dd5c0f4e1
MD5 hash: e5b15619b70d6e96af783327dc79eda7
humanhash: cola-nine-moon-sixteen
File name:SP0728.rtf
Download: download sample
Signature n/a
File size:1'726'125 bytes
First seen:2020-07-31 13:22:21 UTC
Last seen:Never
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 24576:Owd0vkXsaDMCmjs1oHUmK/8ugdWDEiLiPw:V
TLSH CA85A474A04178D2FA5B875F9349FDA1327DB2628AC649C84FDDC6F026A32D49B3C4B4
Reporter @JAMESWT_MHT

Intelligence


File Origin
# of uploads :
1
# of downloads :
38
Origin country :
IT IT
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
60 / 100
Signature
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office process drops PE file
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255383 Sample: SP0728.rtf Startdate: 31/07/2020 Architecture: WINDOWS Score: 60 17 g.msn.com 2->17 19 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->19 21 Document exploit detected (drops PE files) 2->21 23 Office process drops PE file 2->23 7 WINWORD.EXE 79 78 2->7         started        11 OpenWith.exe 15 5 2->11         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\Temp\muka.dll, PE32 7->15 dropped 25 Document exploit detected (creates forbidden files) 7->25 13 splwow64.exe 7->13         started        signatures6 process7
Threat name:
Win32.Trojan.Skeeyah
Status:
Malicious
First seen:
2020-07-31 13:24:07 UTC
AV detection:
24 of 47 (51.06%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Launches Equation Editor
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Enumerates system info in registry
NTFS ADS
Loads dropped DLL
Threat name:
Bloodhound
Score:
1.00

Yara Signatures


Rule name:MAL_RTF_Embedded_OLE_PE
Author:Florian Roth
Description:Detects a suspicious string often used in PE files in a hex encoded object stream
Reference:https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/
Rule name:Retefe
Author:bartblaze
Description:Retefe
Rule name:SharedStrings
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rich Text Format (RTF) rtf 7609034e7473869b3a5767f9543b6067998f4db68e3ba26966c115535337337f

(this sample)

  
Delivery method
Distributed via web download

Comments