MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26
SHA3-384 hash: a4a24d97f486901a4908fdc395b9f647645a06266c5384af4921874de27c53e7770edf8a27679947f6dbd2c2e532231d
SHA1 hash: a146988a3d8f00b95a162bec3b6a0b17d8801dd1
MD5 hash: 4b667b7d1d781a1b3913eec1a294ca82
humanhash: stream-jupiter-mirror-one
File name:PAYMENTS.PDF.exe
Download: download sample
File size:740'352 bytes
First seen:2022-06-27 08:23:06 UTC
Last seen:2022-06-27 09:20:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:80MAj+AUfV9244Yitno6ZBgBjjJK7PKGq:pR+ffVo44LtnjBgxjMrK
Threatray 1'179 similar samples on MalwareBazaar
TLSH T12BF42BD1F1908CDAED6B09F2AD2AA53024D77E9D54A4810C569EBB1736F3342209FE1F
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon eeacac8cb6e2ba86 (561 x SnakeKeylogger, 142 x AgentTesla, 40 x Formbook)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/283462/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62b969611e58e5586608caf5/reports/b3f10ad7-de50-46e1-8be5-9522ef0978c3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7b94659b-c886-42e2-834d-e05f66d266c6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1020224
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2022-06-27 08:24:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
10 of 41 (24.39%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rftkagtpnx5xtlvbznhwl5ywmfdncxy3c4t3lwttbkvehnyovmta._file
Verdict:
malicious
Similar samples:
13721308fa2934ff901136826d32cfe4a52a53aaeaea8f75204bd0e3b0b08b11
20a01bac19d49e0d9d404e164dca9a9b101cfb3f1bd1b89ce592fc26a4c20afb
42e5467c1516b5291491f4acbac29889575738c9f0652655ce7b7eeffa2374d4
b34c4704e5fb0a3ffa586b143f6021ce080bd89a76a0236c1fa2e65837f5ac52
b359375e9ac1bbd90bcb60c5fc6834d8a12ee2f4aadb34a001bda42a1c93b228
b66327c53adb06f067e45a7763f760aa5a240ec7a8436a0240246ff858c81f5c
c8fbd420e549bade92bad848a243a261ab638712b63f441773e74d3dae30abdc
e7f201777fab176482d282b7a56f35fa93c8fc8819be0bcbde85e9ad112b77e1
f4e0ed779c214eb0a9024a6ef2be0f72ab4ef673c5b88a4894c2ed77cca87b6b
+ 1'169 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220627-kap1vahhal/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
0aa8ea56f670ef5041fe87ee1a27b6623c2cf7996ed489214aa076996ca40cac
MD5 hash:
faf84cab64260654988db2f9157f8f89
SHA1 hash:
e1e6ebeaf252c78e74c1355cdefc6a2c52cfab70
Link:
https://www.unpac.me/results/e395d4bd-5be1-4269-a4f6-40433d5937e1/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/e395d4bd-5be1-4269-a4f6-40433d5937e1/
SH256 hash:
dfc40d73035f6de8460c92fae22f51cb585e5b169519dfb38502229e94e7a89b
MD5 hash:
26b48d9b5ca5301fa796b118cf1036b0
SHA1 hash:
a8b20cd693a37fa9e906c7ecbe4cce34cba0b8ea
Link:
https://www.unpac.me/results/e395d4bd-5be1-4269-a4f6-40433d5937e1/
SH256 hash:
8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26
MD5 hash:
4b667b7d1d781a1b3913eec1a294ca82
SHA1 hash:
a146988a3d8f00b95a162bec3b6a0b17d8801dd1
Link:
https://www.unpac.me/results/e395d4bd-5be1-4269-a4f6-40433d5937e1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.38
Link:
https://yomi.yoroi.company/submissions/8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 8966a01a6f6dfb79aea1cb4f65f7166146d15f1b1727b5da730aaa43b70eab26

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/283462/

Comments