MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
SHA3-384 hash: e510c9f9046ba2ea19cb8e5689959108b3bd2ca000656626271795f4459236b956914e6926309a10e4624e997f391d2e
SHA1 hash: f71625b5e14ba9b09a0ac430899ecc1217beeaea
MD5 hash: e6562be54a063accea33b6d698cbaddb
humanhash: oxygen-muppet-whiskey-cardinal
File name:Swift.Doc
Download: download sample
File size:229'476 bytes
First seen:2023-09-26 06:55:06 UTC
Last seen:2023-09-26 07:36:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dda1a1d1f8a1d13ae0297b47046b26e (64 x Formbook, 39 x GuLoader, 22 x RemcosRAT)
ssdeep 6144:LnPdudwDg2HOO0PQ00j5Kl3whcgGBRLzm0sDmV/T:LnPd82ufPQ001G3cGBtlxT
Threatray 1 similar samples on MalwareBazaar
TLSH T18A24128C77A1C873D86757716C325BB36FF9D5323286674B07A03AAC3C32945D92E226
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
252
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift.Doc
Verdict:
Malicious activity
Analysis date:
2023-09-26 06:56:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b2c59246-d506-4204-884f-36384c9122e5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/451174/
Detection(s):
SecuriteInfo.com.FileRepMalware.19660.26052.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a window
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process by context flags manipulation
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control lolbin masquerade overlay packed shell32
Link:
https://www.filescan.io/uploads/6512808433582f234e034762/reports/58ec0ec8-b8a2-48ae-b61e-61d5cc328668/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41ef8850-f4f3-42f7-82c2-14afc998c141
Result
Threat name:
NSISDropper
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1314305
Signature
.NET source code contains potential unpacker
Detected unpacking (creates a PE file in dynamic memory)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected NSISDropper
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4/
Threat name:
Win32.Trojan.InjectorX
Create hunting rule
Status:
Malicious
First seen:
2023-09-25 23:21:57 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
16 of 35 (45.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pyh2mbzsabcazdqb26opqtbx2jtrkwngwjcxl7aua6wcczrqjssa._file
Verdict:
malicious
Similar samples:
b48656a73f039dfc48e237f13a15133739b2f26af136b9540f038e922f98b2c0
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230926-hqcpcage57/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b711f2212e78918f8269a913966e1f7e0a178b499b9a10cbefb6cd2cd1166050
MD5 hash:
5797df79a43848b62dde20649c6a5f44
SHA1 hash:
e91df03fff8371fc046d9fe771623ad088d4175a
Link:
https://www.unpac.me/results/a890d85f-5a28-490d-85c5-1a4898c52af8/
SH256 hash:
7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4
MD5 hash:
e6562be54a063accea33b6d698cbaddb
SHA1 hash:
f71625b5e14ba9b09a0ac430899ecc1217beeaea
Link:
https://www.unpac.me/results/a890d85f-5a28-490d-85c5-1a4898c52af8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e0fa6073200/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 7e0fa6073200440c8e01d79cf84c37d2671559a6b24575fc1407ac2166304ca4

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/451174/

Comments