MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9
SHA3-384 hash: 8f087d4338622bcfda01c2c8b2811a52b2d26e61dddd9cd452f0d210841f2e351042a7f5d9e77dfb933c878e52bbed2a
SHA1 hash: 858e6c03430fe2af047a4b318fdba7ba5081d56f
MD5 hash: b52570858170ca3beac5f4737b4d559b
humanhash: magazine-south-blossom-illinois
File name:PO_201410.xls.exe
Download: download sample
File size:1'117'993 bytes
First seen:2020-10-16 10:31:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:6HLmCiIhkInLL8/4xPvrKnOlupg2hJcjyIexrFETqC:Xn/IPz7lcfJcjlexrFETh
Threatray 262 similar samples on MalwareBazaar
TLSH 6C350242F5D648B2D9721B322939BB116A7F7C201F34D69FA3D4796D9B321C26230B63
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.gammadyn.ml
Sending IP: 173.82.88.70
From: Paulo Rick <info@gammadyn.ml>
Reply-To: info@gammadyn.ml
Subject: Sales Order
Attachment: PO_201410.IMG (contains "PO_201410.xls.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71904/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/493416
Signature
Initial sample is a PE file and has a suspicious name
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 16:58:12 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5qfzzr3oiixedzkd3d5sunbdkuaoo67qeshraizwoyculf3dtmq._file
Verdict:
suspicious
Similar samples:
01f936785968394ba82a93a816c897d77879a247b12621b42e12b2a7592a4f6d
4b1ffe4df1fa405add5439e82aca1f7c49070d5f7935fe0d50fa653d754b630c
77ec4cc85d8c34393dcbd4e1290e39dcee07c3468aff17e312929b84c9b6a2bf
829b3df0c75971b19d658fd980bdf0302351bdf6ddbdf5e2f5d83632df72215d
86b0b53349b935048562758a34e08ae6190c67fa522e8742f60702b334625d36
896983bee32da4a300d89878e8c5f284dec5288d60b3610439146f46cb59fbe8
a28b4a9bffc95f778a6c6593763cfad5ca96aa10843851e2c76446b4fea9a878
a6470f4a3b0b76de33c62703bd5c8559a6555440c977a2632c37444847c5a693
cd92100b5eee9f485facad22250d11ba811455710d2ca07e731f4d19741a571d
e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b
+ 252 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/201016-n3t8ae6vd6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Suspicious Office macro
Unpacked files
SH256 hash:
8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9
MD5 hash:
b52570858170ca3beac5f4737b4d559b
SHA1 hash:
858e6c03430fe2af047a4b318fdba7ba5081d56f
Link:
https://www.unpac.me/results/cc5259d8-92ff-4b63-805e-3643f1289c61/
SH256 hash:
d56aad2adf1f75960f2441910fb7b310718a7e42a62534295650ae8473072c1b
MD5 hash:
ec779356649c59d8abbdcc86e90d4f89
SHA1 hash:
60a076553b2e3bfd0a631c741ad02843548b905f
Link:
https://www.unpac.me/results/cc5259d8-92ff-4b63-805e-3643f1289c61/
SH256 hash:
f6eef07d18d8c057f8f3806678603036ae51a180e42b18e7f5a78b8869caa8be
MD5 hash:
bbe2ce9cb52e1cc9fa970b8094b8fb71
SHA1 hash:
abf05bbaf3f81de46f9b7cb1dd68a73889f57720
Link:
https://www.unpac.me/results/cc5259d8-92ff-4b63-805e-3643f1289c61/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img e85593d4b29a99360df37980d577953fb49658c8928e6b539fece53fda482ba6

Executable exe 8f605ce63b7211720f2a1ec7d951a11aa8073bdf8124788119b3b02a2cbb1cd9

(this sample)

  
Dropped by
MD5 6cd9ef4f8ddd73ef4a1bf16ebf1cfb2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71904/
  
Dropped by
SHA256 e85593d4b29a99360df37980d577953fb49658c8928e6b539fece53fda482ba6

Comments