MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955
SHA3-384 hash:	1e53e39fab7c2a74500b4d23038edc6f8f65181592a57dcf191c11395ccd1700c53a52afca45c30ca6d0e6783d615b5c
SHA1 hash:	50516abd6066cc1163c9aa2c31bcb4f75773cc7a
MD5 hash:	eeda91f8241681bbc1c220a9ff7c53da
humanhash:	salami-butter-nitrogen-tennis
File name:	Purchase Order # 51047004.exe
Download:	download sample
File size:	212'992 bytes
First seen:	2022-11-06 19:52:56 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	1536:HO1KSXUfi8GdF+t1ZjhGIBOrPaOYdSkjiRNqOP3M:HOPUfi8GdF+t71hEbaFSkjiRrPc
Threatray	95 similar samples on MalwareBazaar
TLSH	T177245674A1F16ACDE896CEB28E60EA19FFE70C519A45421FD13238F6513BB85C6041FE
TrID	69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	10808a8c8c8a8010 (77 x Formbook, 51 x AgentTesla, 44 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

154

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Purchase Order # 51047004.exe

Verdict:

No threats detected

Analysis date:

2022-11-06 19:56:14 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/28cef535-1aaf-4904-bf83-83db552c4ac8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329554/

Detection(s):

Win.Dropper.LokiBot-9969312-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Query of malicious DNS domain

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6368109ed998c15a09ab36ac/reports/f187eade-3d92-4e0f-9bec-adf2b37ba0d1/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/28e8a5ac-dd43-4e87-a74c-e63afc526f8e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/1106755

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for URL or domain

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955/

Threat name:

ByteCode-MSIL.Trojan.Tnega

Status:

Malicious

First seen:

2022-11-04 09:55:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 26 (69.23%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pim3fihkgrjug27ybceyuxm7i6obvfda5vvsesy34x445okqvfkq._file

Verdict:

malicious

22e699dddb4e02a8f046243850a37c0f03295b5d2f95ed8f470919d916b30e51

3c9ea84465ac087d0dda3ab93ad200e9913d527986ca8358d551ad81a14c9bfb

cf16e91a8611d4dfbba4af8164ab661d612e21a4403a62b6fb0d9ad25d065613

ebb83e7370e7f72ea765a29d35da29615048eaf5b312076cdc28a3957e6f0226

f2a4cc133dfeca5432bf22c2817aeb8edb434057711727fc245eafddd08daf5f

fe9c6577a6e952d6cdae6af1944f9dc1137295ef6daee6972aa2db865c87fdf2

+ 85 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/221106-ylyc9ahfe5/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/af006aa5-d397-4cc6-9148-921b4224d005

Unpacked files

SH256 hash:

5d0b725052f35e858346f88479adcdf3c4ef09bae27a9f525215a2c2692cd1ae

MD5 hash:

5b92e6791726082a66e626f9f503e463

SHA1 hash:

e0e5e2029d4b74a93739fc5d81bd0294807372c2

Link:

https://www.unpac.me/results/bec2efb0-450e-47e7-bc50-9e1b9a2c9b0d/

SH256 hash:

7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955

MD5 hash:

eeda91f8241681bbc1c220a9ff7c53da

SHA1 hash:

50516abd6066cc1163c9aa2c31bcb4f75773cc7a

Link:

https://www.unpac.me/results/bec2efb0-450e-47e7-bc50-9e1b9a2c9b0d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ConfuserEx Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ConfuserEx Mod

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 7a19b2a0ea3453436bf808898a5d9f479c1a9460ed6b224b1be5f9ceb950a955

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/329554/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample