MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6
SHA3-384 hash: 25084ca2feb041055576f76ca99a606216b6e1a2b3d52a98856807f352f76fca96b12c0d74961c02a1593b03f9fee2a1
SHA1 hash: f4ec1a6e2758ccd65e583c3a8baa1fe7bac3c37e
MD5 hash: 14c1402d0865989e70a8506fffbe61d5
humanhash: diet-hydrogen-mockingbird-music
File name:PO.exe
Download: download sample
File size:662'528 bytes
First seen:2021-01-06 07:18:07 UTC
Last seen:2021-01-06 08:34:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GAgESqq2VUVLy369TKOE0P0rR1e/Xko7yuSUw:GAoqqTRzw0P0nGX0uSU
Threatray 2 similar samples on MalwareBazaar
TLSH 1DE44A1133F18413F89B0265643876CC1D3CB183B6D9E25BAB367AD493059BAF7E8E52
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.m3texsourcnig.com
Sending IP: 62.171.167.170
From: inquire1@m3texsourcnig.com
Reply-To: inquire1@m3texsourcnig.com
Subject: Re:PO/PI Reconfirm Orders
Attachment: PO.7z (contains "PO.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-06 07:28:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b91b0d10-a9bc-43f1-a00e-cfbad6c411a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110679/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.5165.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Deleting a recently created file
Sending a custom TCP request
Creating a file
Creating a window
Sending a UDP request
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/574836
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336475 Sample: PO.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 52 10 Multi AV Scanner detection for submitted file 2->10 12 .NET source code contains potential unpacker 2->12 6 PO.exe 4 2->6         started        process3 process4 8 dw20.exe 22 6 6->8         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-06 03:24:00 UTC
AV detection:
5 of 28 (17.86%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pepjians4ciqekff7vg3vqyce2xe5wgefrkhq3e3w66f6eliq2ta._file
Verdict:
unknown
Similar samples:
ae3ed3cc7495aa7d7b937b933256649573272cfd78dcb7835234f7488d12a3ba
b3748ae0bd6e35d549cc5653bf5427dd2e58f06b19972392c9264adf5916d97d
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210106-gs1cz7hf9n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6
MD5 hash:
14c1402d0865989e70a8506fffbe61d5
SHA1 hash:
f4ec1a6e2758ccd65e583c3a8baa1fe7bac3c37e
Link:
https://www.unpac.me/results/08fb3d66-835e-443a-b890-9d4add98ae6f/
SH256 hash:
64a419709ad219ffc006bda776b650da486d55048d2fa34525f40227da0e5c86
MD5 hash:
88c0ec8398978fa2e4240f02765086ad
SHA1 hash:
5a5c4935b2d70e890c89ad9332365f4f4aa86f3c
Link:
https://www.unpac.me/results/08fb3d66-835e-443a-b890-9d4add98ae6f/
SH256 hash:
492f91c1275b6db43470061846a650daf103982d551e95092f5020a5adfc218b
MD5 hash:
10e1e01df0fb73283e0d59e4eb534f59
SHA1 hash:
dd62b9ab212df8da4eac635b1c43553fe9c59ec0
Link:
https://www.unpac.me/results/08fb3d66-835e-443a-b890-9d4add98ae6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z 9f510d2d21d2289429c7a862dfb57123bb8dde1efb808b2e3a2456594579a143

Executable exe 791e9401b2e0910228a5fd4dbac30226ae4ed8c42c54786c9bb7bc5f116886a6

(this sample)

  
Dropped by
MD5 804db892b9c02d65aedf405abc0a7451
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9f510d2d21d2289429c7a862dfb57123bb8dde1efb808b2e3a2456594579a143
Cape
Cape
https://www.capesandbox.com/analysis/110679/

Comments