MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7
SHA3-384 hash: 97436ef6c7bf6e6b15b22542acf9647ee42b8e139e8452141610ce1df92d23a3b943fd23bf972761a8da67b9c22bac79
SHA1 hash: 72062a06e73f3c2d931c27d677c0334b7c962e26
MD5 hash: 4283f36c5dd58523ead73e5c89f3b8d2
humanhash: zulu-summer-delta-early
File name:Notes.one
Download: download sample
File size:159'184 bytes
First seen:2023-02-09 05:51:21 UTC
Last seen:2023-02-09 05:58:15 UTC
File type:Microsoft OneNote (one) one
MIME type:application/octet-stream
ssdeep 1536:OevY6z54EJ+ytgXIeZCXIokE9Kkf2oY7LLw7wDzKiivL4w1jr8TYEo7/2x0R6Z+a:NgS2EJbyYeMYkKkyX3DWvLLATirRg+a
TLSH T1C2F3D026F581864ACB29413909E76FB47373BE069591631FDFB62E2C5DF0288CC9468F
Reporter Anonymous
Tags:exe one test


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
2
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.28786.Heur.BadOne.OPC.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28788.Heur.BadOne.cmd.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.ONE.Shell-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28785.Heur.BadOne.Pshell.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.ONE.Obfus-1.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.28788.Heur.BadOne.b64.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.ONE.Shell-2.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.OneNotePkillExeExtDetonationRulingTheNation.20230125.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/63e48a02459bcf4604ffd127/reports/999ba34d-7d5a-4a21-8e24-f6b7d0128c55/overview
Verdict:
Malicious
Labled as:
Trojan.MSOffice.Agent
Link:
https://www.hybrid-analysis.com/sample/8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1172093
Signature
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Suspicious powershell command line found
Yara detected Malicious OneNote
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 804882 Sample: Notes.one Startdate: 11/02/2023 Architecture: WINDOWS Score: 84 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 2 other signatures 2->48 7 ONENOTE.EXE 52 501 2->7         started        10 cmd.exe 2 2->10         started        13 ONENOTEM.EXE 2->13         started        process3 file4 30 C:\Users\user\Documents\...\Quick Notes.one, data 7->30 dropped 32 C:\Users\user\Desktop32otes.one, data 7->32 dropped 34 C:\Users\...\~Notes.one.onebackupconstruction, data 7->34 dropped 38 3 other malicious files 7->38 dropped 15 ONENOTEM.EXE 1 7->15         started        36 C:\ProgramData\in.cmd, ASCII 10->36 dropped 50 Suspicious powershell command line found 10->50 17 cmd.exe 1 10->17         started        19 powershell.exe 7 10->19         started        21 conhost.exe 10->21         started        signatures5 process6 process7 23 powershell.exe 14 16 17->23         started        26 conhost.exe 17->26         started        28 rundll32.exe 17->28         started        dnsIp8 40 vielagroglobal.com 167.250.5.22, 443, 49703 NUTHOSTSRLAR Argentina 23->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-09 05:52:06 UTC
File Type:
Document
AV detection:
7 of 39 (17.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rp6ute2q3q3otlmf64hacje3xel57zaafud4r7fhu6akdjfsy3dq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230209-gkqhksef3x/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:onenote_file
Create hunting rule
Description:Microsoft Onenote File
Rule name:OneNote_magic
Create hunting rule
Author:Stuart Gonzalez
Rule name:onenote_maldocs
Create hunting rule
Author:Stuart Gonzalez
Rule name:QakBot_OneNote_Loader
Create hunting rule
Author:Ankit Anubhav - ankitanubhav.info
Description:Detects a OneNote malicious loader mostly used by QBot (TA570/TA577)
Rule name:SUSP_OneNote
Create hunting rule
Author:spatronn
Description:Hard-Detect One
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP

File information

The table below shows additional information about this malware sample such as delivery method and external references.

01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

Microsoft OneNote (one) one 8bfd499350dc36e9ad85f70e01249bb917dfe4002d07c8fca7a780a1a4b2c6c7

(this sample)

anyrun
any.run
https://app.any.run/tasks/1
anyrun
any.run
https://app.any.run/tasks/2
Joe
Joe Sandbox
https://www.joesecurity.org/reports/1
Joe
Joe Sandbox
https://www.joesecurity.org/reports/2
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
  
X
https://twitter.com/abuse_ch/status/1224269018506330112
  
Link
https://urlhaus.abuse.ch/url/306613/
  
Dropped by
MD5 68b329da9893e34099c7d8ad5cb9c940
  
Dropped by
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
  
Dropped by
SHA256 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
  
Dropped by
Gozi
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/185/
  
URLhaus
https://urlhaus.abuse.ch/url/250/
  
URLhaus
https://urlhaus.abuse.ch/url/632/
  
URLhaus
https://urlhaus.abuse.ch/url/299/
  
URLhaus
https://urlhaus.abuse.ch/url/959/
  
URLhaus
https://urlhaus.abuse.ch/url/2267/
  
URLhaus
https://urlhaus.abuse.ch/url/2296/
  
URLhaus
https://urlhaus.abuse.ch/url/859/
  
URLhaus
https://urlhaus.abuse.ch/url/2535/
  
URLhaus
https://urlhaus.abuse.ch/url/2560/
  
URLhaus
https://urlhaus.abuse.ch/url/2004/
  
URLhaus
https://urlhaus.abuse.ch/url/1910/
  
URLhaus
https://urlhaus.abuse.ch/url/2255/
  
URLhaus
https://urlhaus.abuse.ch/url/725/
  
URLhaus
https://urlhaus.abuse.ch/url/7391/
  
URLhaus
https://urlhaus.abuse.ch/url/8079/
  
URLhaus
https://urlhaus.abuse.ch/url/8168/
  
URLhaus
https://urlhaus.abuse.ch/url/3160/
  
URLhaus
https://urlhaus.abuse.ch/url/4006/
  
URLhaus
https://urlhaus.abuse.ch/url/3959/
  
URLhaus
https://urlhaus.abuse.ch/url/893/
  
URLhaus
https://urlhaus.abuse.ch/url/7376/
  
URLhaus
https://urlhaus.abuse.ch/url/13445/
  
URLhaus
https://urlhaus.abuse.ch/url/13246/
  
URLhaus
https://urlhaus.abuse.ch/url/588/
  
URLhaus
https://urlhaus.abuse.ch/url/14138/
  
URLhaus
https://urlhaus.abuse.ch/url/13739/
  
URLhaus
https://urlhaus.abuse.ch/url/16482/
  
URLhaus
https://urlhaus.abuse.ch/url/15188/
  
URLhaus
https://urlhaus.abuse.ch/url/10989/
  
URLhaus
https://urlhaus.abuse.ch/url/9505/
  
URLhaus
https://urlhaus.abuse.ch/url/16604/
  
URLhaus
https://urlhaus.abuse.ch/url/16504/
  
URLhaus
https://urlhaus.abuse.ch/url/8621/
  
URLhaus
https://urlhaus.abuse.ch/url/16257/
  
URLhaus
https://urlhaus.abuse.ch/url/14587/
  
URLhaus
https://urlhaus.abuse.ch/url/20366/
  
URLhaus
https://urlhaus.abuse.ch/url/20767/
  
URLhaus
https://urlhaus.abuse.ch/url/22808/
  
URLhaus
https://urlhaus.abuse.ch/url/22626/
  
URLhaus
https://urlhaus.abuse.ch/url/24594/
  
URLhaus
https://urlhaus.abuse.ch/url/24379/
  
URLhaus
https://urlhaus.abuse.ch/url/25740/
  
URLhaus
https://urlhaus.abuse.ch/url/26033/
  
URLhaus
https://urlhaus.abuse.ch/url/25671/
  
URLhaus
https://urlhaus.abuse.ch/url/24097/
  
URLhaus
https://urlhaus.abuse.ch/url/26448/
  
URLhaus
https://urlhaus.abuse.ch/url/25492/
  
URLhaus
https://urlhaus.abuse.ch/url/22956/
  
URLhaus
https://urlhaus.abuse.ch/url/20972/
  
URLhaus
https://urlhaus.abuse.ch/url/20866/
  
URLhaus
https://urlhaus.abuse.ch/url/18823/
  
URLhaus
https://urlhaus.abuse.ch/url/18542/
  
URLhaus
https://urlhaus.abuse.ch/url/1916322/
  
URLhaus
https://urlhaus.abuse.ch/url/1735503/
  
URLhaus
https://urlhaus.abuse.ch/url/1391283/
  
URLhaus
https://urlhaus.abuse.ch/url/1551735/
  
URLhaus
https://urlhaus.abuse.ch/url/1726425/
  
URLhaus
https://urlhaus.abuse.ch/url/1257908/

Comments