MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a
SHA3-384 hash: 1cc588e3e5ed9f4bd5961b3d52fe0c826dbfc2e34e1a0e3b8556b829d64bf173c74d9528613911d27104a6f1cd8c6174
SHA1 hash: 888c5152977716382d8730e35372eae4327d9bae
MD5 hash: c089f1ab1f5296fae8c7820904c21b19
humanhash: vegan-diet-april-nuts
File name:Payment advice.pdf.exe
Download: download sample
File size:668'672 bytes
First seen:2022-01-28 09:31:02 UTC
Last seen:2022-01-28 14:31:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'614 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:lq1NBnge630VAuAb2ii1mmP8zPqAe2o1VK:oBngedWsi4YbhoLK
Threatray 1'109 similar samples on MalwareBazaar
TLSH T151E47C1997F1CE04C27E37BAC559401623B96912D762EB2BDEC068E31EE13914E4BF4B
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment advice.pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-01-28 11:19:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6cc94ea2-8626-47e7-a992-61982c176c64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/224975/
Detection(s):
SecuriteInfo.com.Variant.Lazy.109238.25243.16188.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Sending a custom TCP request
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61f3b7e0c4bcf3287a63f9ca/reports/3c415169-4f72-4dfb-9abd-cf1a34023cbb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/338e3bc0-dafd-4b7c-89de-667ff5016674
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/929541
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562019 Sample: Payment advice.pdf.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 76 22 Antivirus detection for URL or domain 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 .NET source code contains potential unpacker 2->26 28 4 other signatures 2->28 6 Payment advice.pdf.exe 15 3 2->6         started        process3 dnsIp4 20 onedrive.live.com 6->20 18 C:\Users\user\...\Payment advice.pdf.exe.log, ASCII 6->18 dropped 10 audiodg.exe 6->10         started        12 RegAsm.exe 6->12         started        14 RegAsm.exe 6->14         started        16 3 other processes 6->16 file5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a/
Threat name:
ByteCode-MSIL.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-01-28 09:31:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdzos5otp2vahenedeoq2kwx6kw6ljeiarml3asrjlwrdx4sob5a._file
Verdict:
malicious
Similar samples:
2b697dedde68e57f4ce0031983226e1db30f0e41e52e5307f1bb1eddc87ae7e7
3ee78898d2d7a28ac204ea86304f8d897aa357310cfe96f20327c7fe776e162e
6d8f40e52347409c5bc0ecbd9c317caaba2ed624febb20d26381e478090ded33
7291efc2174f4ad5ee7a13579fb5e12f43fd5b27d610de22c50a152e540e92d9
924bb78c8e816ebd25d656fb6cf0387449cd4b3cd55846c99d4f0ddb47f71dd5
adb98685d3d6a8fa5e90b6fd9d458601d874718d5815f8aab66728ba9d067440
cfa44658173eb930058f3d9d584ca01dd6fe031f7606f84785bde0bf2331b13c
dab25e8c1516ece436f339c556e488ead016d9e7ba2c3a9d8a78f47ab19bfaec
f1f7a42018ffd700c3b6a90efbcf67c5cb7130cbb3eaea0989adfd865ddaf785
+ 1'099 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220128-lg25esaeem/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
3b0fd7e19f3f82c9cfc47f8eb090ac337578b9b92862d100d2daf53fcc36be57
MD5 hash:
835499704559448e61f6c75831fa1794
SHA1 hash:
f9f3e1e17b6f091528088f280fba3bfae4c83040
Link:
https://www.unpac.me/results/6db169e9-3756-4a76-8d24-b0735497b39d/
SH256 hash:
80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a
MD5 hash:
c089f1ab1f5296fae8c7820904c21b19
SHA1 hash:
888c5152977716382d8730e35372eae4327d9bae
Link:
https://www.unpac.me/results/6db169e9-3756-4a76-8d24-b0735497b39d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 80f2e975d37eaa0391a4191d0d2ad7f2ade5a4880458bd82514aed11df92707a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/224975/

Comments