MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
SHA3-384 hash: 1348a2c7d4382698ac9d0669b1b60a4c43446be592d97862746ce34af0c4dfbc418b636555b8e09b45cd4083d261edb4
SHA1 hash: 2c7e88feed5784a381b9e5ce01c9308929497f61
MD5 hash: 1890133e76ec2fe09839907d1172e605
humanhash: cardinal-pip-sixteen-oklahoma
File name:Production order List Quotation.pdf.exe
Download: download sample
File size:445'783 bytes
First seen:2021-01-15 15:58:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1f4f257947c1b713ca7f9bc25f914039 (4 x NetSupport, 1 x AsyncRAT)
ssdeep 12288:aOUj1/avP7r9r/+ppppppppppppppppppppppppppppp0GiLZkpNEgKLW8ea5l9:TUZav1qimNBKLl/9
Threatray 53 similar samples on MalwareBazaar
TLSH 0D946AC5EA8455B0EC59AB306A36CD349223BDBCA874941C29DE3E6B3FFB2D35025153
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx3.bangla.net
Sending IP: 203.188.252.14
From: Ms.Annette Sturm <br9631@bangla.net>
Reply-To: aggreko@emirates.net.ae
Subject: Fwd: Notice on the above Quotation and production order #
Attachment: Production order List Quotation.pdf.zip (contains "Production order List Quotation.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
185
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Production order List Quotation.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-15 16:40:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b26d2f47-8009-4312-82bd-21d76b6370eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112259/
Detection(s):
SecuriteInfo.com.Generic.Starter.3.A7A30C52.939.2306.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Sending a UDP request
Creating a file
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/582642
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-01-15 15:58:17 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o77luahwuvird42mqjzt6mednvlgxl2wby63lc4ym3fmuvotapma._file
Verdict:
malicious
Similar samples:
16d72d3628ed27331066627a6e8520c127e7d7e876c604a5e8c2773715038890
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
5ff6476c5eb3587ac1d7b02a7e04ec40ec0c0696b8bd7c3a34b0d5f89d2caa67
6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
e9b025c3083c60b1260f6c9b6909f3c80aa7861814b4cee817b5485bb9b3e700
+ 43 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210115-69gxexj8ea/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
MD5 hash:
1890133e76ec2fe09839907d1172e605
SHA1 hash:
2c7e88feed5784a381b9e5ce01c9308929497f61
Detections:
win_cannon_auto
Create hunting rule
win_confucius_auto
Create hunting rule
Link:
https://www.unpac.me/results/c9e26431-4d78-4450-ab09-a4d4d688c1cc/
SH256 hash:
e616769892dcdaaa502797b2fc47301d6eacbfb54d65815843ac2eca9b4b2abd
MD5 hash:
fdae5b8fdad90f14cc867ab030336d2c
SHA1 hash:
466305e7fe471835ae39ad709c010da6ffe36948
Link:
https://www.unpac.me/results/c9e26431-4d78-4450-ab09-a4d4d688c1cc/
SH256 hash:
6dd8793d0d858bf1e99ed4ccef5cdfb99535a77928385646916fc6386f8ddd55
MD5 hash:
ec05262b00011442a1db44674d9634a8
SHA1 hash:
b20728de049321db487cbfe52ec6f060ebf81ad9
Link:
https://www.unpac.me/results/c9e26431-4d78-4450-ab09-a4d4d688c1cc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_cannon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_confucius_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 70655c32c0aecbc327b091d01e2af49d7838bc78102c45738f2681c92c27a09b

Executable exe 77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8

(this sample)

  
Dropped by
MD5 7b7ba66e47fcdc3b829344437d252ce9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112259/
  
Dropped by
SHA256 70655c32c0aecbc327b091d01e2af49d7838bc78102c45738f2681c92c27a09b

Comments