MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae
SHA3-384 hash:	2763449611d4c62a97622c9cd0544255e3eb50357c7dcf92359a40873f3c0c38ccd36ab502fc633b35eac79f6775a1fc
SHA1 hash:	608a5286fd6377a2108125da45bfa0dfd8fda3cf
MD5 hash:	411c550880bd9cc81e3ff7b199699515
humanhash:	asparagus-oven-mississippi-batman
File name:	Westpac_Transfer_Receipt.img.exe
Download:	download sample
File size:	763'904 bytes
First seen:	2020-10-07 05:03:27 UTC
Last seen:	2020-10-07 06:24:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:8SivlLBiLXKOkkscfoh/0oxeVdVgY1afKzWlPT4khu:8hLfkscQCDg+EKzWtUkh
Threatray	164 similar samples on MalwareBazaar
TLSH	95F49DB368C2549DCD6A4A715CB580E0F97632CE3F938A0FB19E430C0E15E57B76A25E
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: mail.cswebservice.de
Sending IP: 46.252.24.25
From: Westpac Bank Australia <elizabward@westpac.com.au>
Reply-To: elizabward.westpac@mail.com
Subject: Your payment swift copy
Attachment: Westpac_Transfer_Receipt.img (contains "Westpac_Transfer_Receipt.img.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Ispy

Link:

https://www.capesandbox.com/analysis/68767/

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Creating a file in the %AppData% subdirectories

Launching a process

Creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/483634

Signature

.NET source code contains very large array initializations

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-06 23:58:36 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=p64ctgl4khjigdcsjedtffdnokcsb4meftzkai2c5qgyibgnkkxa._file

Verdict:

unknown

659c836026b1ee353c16584705804815ea357519b446db36822fb40bed5ab320

95398256c9a457e155671d2b4eb69b688c151002a1b58abd0de1411690a53c88

9feae92d12fa03fc35f79af2670703aa18a2dcb39d65c6415f81239eb5af011c

a4b6103b1dfe717301995f598b140b0ce26e7a1541f45b6ed6485c05dca2692a

a7d27c9cca035fac67dadf420c7adcfb2b196b4f2db64d94e13ddb6a9ea1c46a

b0055c111a78ee76cb6946a1e9a22f96b1b0533537865d055f465b03ac1aa7df

dbe07e65b164938977b2cc87d3fd32b44f55480385143bb628b9c78b35b0be1f

f4e60792b136f02c28fd35322ee58bf723aeaa3611d286417d8b2b0707612cdc

fbe07dca7476dba15e9dd639c2b5a71c6bbdf21b0f50ee1fde6aa5bc13e19243

+ 154 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/201007-c7zsl1gf5e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Loads dropped DLL

Unpacked files

SH256 hash:

7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae

MD5 hash:

411c550880bd9cc81e3ff7b199699515

SHA1 hash:

608a5286fd6377a2108125da45bfa0dfd8fda3cf

Link:

https://www.unpac.me/results/602c74fd-40d9-4d70-aafd-c50601e68ea4/

SH256 hash:

9e711e7d6d9a8f0cb54f0c83eb74ad7cb09f33310996cc7ad85f49907d65f0a3

MD5 hash:

d5b54f0f0fe63d9d0a9d2d608e158c6a

SHA1 hash:

52cab4fc7e5aac5f9784affd348a3f87afe498c7

Link:

https://www.unpac.me/results/602c74fd-40d9-4d70-aafd-c50601e68ea4/

SH256 hash:

06c31e4c38350cafcacfa844d02277f7ea265c0d800f6dbe7f9eb935ed1305f1

MD5 hash:

27bbc74d38f1102f6f25815ac7e62c9f

SHA1 hash:

8b54b73db2549e2a5c81d1621f9e4ca53bb80b4c

Link:

https://www.unpac.me/results/602c74fd-40d9-4d70-aafd-c50601e68ea4/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/602c74fd-40d9-4d70-aafd-c50601e68ea4/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/602c74fd-40d9-4d70-aafd-c50601e68ea4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 445cff17f5e8f43bcda08e999a89c25c68c9c4f9599ca12d29d3ec1c82715664

exe 7fb829997c51d2830c52490732946d728520f1842cf2a02342ec0d8404cd52ae

(this sample)

Dropped by

MD5 f708e319771f9a83311bbfb2f4e72780

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/68767/

Dropped by

SHA256 445cff17f5e8f43bcda08e999a89c25c68c9c4f9599ca12d29d3ec1c82715664

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample