MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 81c36e1db76eb746e8f94d40e316261789295523791c3a393f6a8f937a15ac64. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
Threat unknown
Vendor detections: 7
| SHA256 hash: | 81c36e1db76eb746e8f94d40e316261789295523791c3a393f6a8f937a15ac64 |
|---|---|
| SHA3-384 hash: | d1c93d0db4e2bcd63849f74df8e06ddc4ab88a1dc4c581220944ccb12ded7b73932e084c62aef12ad68cf0773a8670f6 |
| SHA1 hash: | a82d70e0ea01a7a9c5dac060c356fb7245e02dc9 |
| MD5 hash: | d04a2211270d0c61835eb648a964c531 |
| humanhash: | bluebird-table-pizza-video |
| File name: | Proforma invoice.exe |
| Download: | download sample |
| File size: | 693'760 bytes |
| First seen: | 2021-03-02 18:51:36 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger) |
| ssdeep | 12288:MR3mQbbmNRxegofI2vrqjakGu+sLxeO9nXadCDD0mOADq1N5Lxy6ROWWT:GmNRxeg2TTq11+sLHKdCDD0mOADq1N5e |
| TLSH | E2E4BE3632C65B65E1BC973896506C1003F3BD02D736C35A7DEB22EFD7A4E854222B66 |
| Reporter |  abuse_ch |
| Tags: | exe |
Intelligence
File Origin
# of uploads :
1
# of downloads :
177
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Proforma invoice.exe
Verdict:
Malicious activity
Analysis date:
2021-03-02 18:56:57 UTC
Tags:
n/a
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Result
Verdict:
Malware
Maliciousness:
Behaviour
DNS request
Sending a custom TCP request
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Signature
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Status:
Malicious
First seen:
2021-03-02 18:52:10 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Result
Malware family:
n/a
Score:
8/10
Tags:
agilenet
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Unpacked files
SH256 hash:
81c36e1db76eb746e8f94d40e316261789295523791c3a393f6a8f937a15ac64
MD5 hash:
d04a2211270d0c61835eb648a964c531
SHA1 hash:
a82d70e0ea01a7a9c5dac060c356fb7245e02dc9
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
exe 81c36e1db76eb746e8f94d40e316261789295523791c3a393f6a8f937a15ac64
(this sample)
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.