MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31
SHA3-384 hash: a34a1e9e1f7cd21d82eb4ac06c83a1ee4e486e11e297544063e0a3a769c075f94a006ce86c0f2b7b79c96c3be0c164cb
SHA1 hash: 6d271d0f377728657f4c284253cdc51faa3fdb5c
MD5 hash: a7f37abc65de8b02ac67af17a289ad69
humanhash: sad-south-september-alanine
File name:Payment Invoice.exe
Download: download sample
File size:385'024 bytes
First seen:2021-04-01 07:27:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ce1c6fdc67e50426e322780731487a52
ssdeep 6144:run1cQ1S4GlA9jmHv/VCSY3hw9lMbk6u1QMS0y+lqiHTonWryFDYRJ:rx46A9jmP/uhu/yMS08CkntxYRJ
Threatray 5'472 similar samples on MalwareBazaar
TLSH 1484F01AB7D20E87E9BA6EB12F9791F042B3B85B1FA7464B7640723D2821F114C9471F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: docprime.com
Sending IP: 13.233.25.156
From: Basudeb Pan <xyz@docprime.com>
Subject: Payment Acknowledgement Is Attached
Attachment: Payment Invoice 1.zip (contains "Payment Invoice.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-04-01 07:43:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fa1ca27-d85e-4632-9a05-3c4ca96d04ed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130524/
Detection(s):
SecuriteInfo.com.Trojan.Heur.VP.xm0@aKzyA6bi.25590.19641.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file
Searching for the window
Deleting a recently created file
Replacing files
Creating a process from a recently created file
Sending a UDP request
Launching a process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/661817
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected VBKeyloggerGeneric
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 379847 Sample: Payment Invoice.exe Startdate: 01/04/2021 Architecture: WINDOWS Score: 100 20 Antivirus detection for dropped file 2->20 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for dropped file 2->24 26 7 other signatures 2->26 7 Payment Invoice.exe 2 37 2->7         started        10 znmutuch.exe 12 2->10         started        process3 file4 18 C:\Users\user\AppData\...\znmutuch.exe, PE32 7->18 dropped 12 cmd.exe 1 2 7->12         started        14 znmutuch.exe 4 27 7->14         started        process5 process6 16 conhost.exe 12->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-01 01:17:58 UTC
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=px5qr5ngnedq2vc5lype24wcpogibwojlaqoiqn3xlhr5houviyq._file
Verdict:
unknown
Similar samples:
1664c6a330c5b318458518ea71b2a9995a91c79281a050278c3aa2388663a986
2ed2a56967e7cb3e18b8b2cb910b9e6d356a52a9b65a05309c36ec62fa09773c
4115f7f18a5b142e38238daa8e858810ca283bdaee3aebf3d4c18bf67ddd27af
5c86fcf32d1f15a745dd2f39989630ac310d1aee52af7b5f762f75f8855879ab
6812d44b05455b4503ffa118b62d3810304f3867b528042985dc6ebc834ebdfc
801aff832240d9b440bcd8fb1244c03b328a91035a69de29ba8421b82e077ca3
8395d914d703f9624f94523aedd697037a51eb00c0f2e48444d43f58fdb95d82
c688c6b0f5bd44c8d37e810000892ce8d0e2225f1dd04a92d454fd60c7cdc779
e138622ca793f4a546496b40dcf406a83aa667d16fa2a29879d8282a39d6e7ff
eb5b36b887116b5aa12cb5609d9d2e132829e325b2c3e16133299696460a0e92
+ 5'462 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210401-48vlszrmvn/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31
MD5 hash:
a7f37abc65de8b02ac67af17a289ad69
SHA1 hash:
6d271d0f377728657f4c284253cdc51faa3fdb5c
Link:
https://www.unpac.me/results/887075d1-4c44-4322-a5ed-bda54098a787/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 45aecd6123f928ed68dd96ff464e22bdcd92ff3872159649edf8a082bbaa5d8c

Executable exe 7dfb08f5a669070d545d5e1e4d72c27b8c80d9c95820e441bbbacf1e9dd4aa31

(this sample)

  
Dropped by
MD5 453db202ff5606e4a28dd8d168b7bf1a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/130524/
  
Dropped by
SHA256 45aecd6123f928ed68dd96ff464e22bdcd92ff3872159649edf8a082bbaa5d8c

Comments