MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 90bfb4c6e4d0e4cfbc46e3f641045e47b917a6a5b6ade0e8314ce0ca1d7d6f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 90bfb4c6e4d0e4cfbc46e3f641045e47b917a6a5b6ade0e8314ce0ca1d7d6f67
SHA3-384 hash: 8e674fdac427b363ab66f84f32623b8d3ef8b04f626f281e332b301536a07d20b4bd9d3cbe542cba7a3ce05ea3080e06
SHA1 hash: 3d80e3b78ddce5f00800d5350ffc37d353860a8d
MD5 hash: 4535dce02275394a856649cb25682036
humanhash: fanta-princess-sad-enemy
File name:56565656.exe
Download: download sample
File size:1'245'696 bytes
First seen:2020-11-05 09:14:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e84ad2fcdc8258e8b185201ca744213f
ssdeep 24576:uQTCo386FXokHD18aTnVVMMY6LkZprm6aweqYxxtd0McVWo3AeP3k:ue1htRJI6gDiwe9b70FWo3Aes
Threatray 675 similar samples on MalwareBazaar
TLSH C545CF22F2904837D1B3263F8C1B93A5982ABE713D2859463BE51E7C5F396817C263D7
Reporter abuse_ch
Tags:exe geo TUR ZiraatBank


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: srv1.demspor.com
Sending IP: 31.169.94.221
From: ZIRAAT BANKAS <ziraatbank@ileti.ziraatbank.com.tr>
Reply-To: DHL International<ahsen.coskun@kuzeyboru.com.tr>
Subject: DEKONT
Attachment: DEKONT PDF 2.rar (contains "56565656.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83133/
Detection(s):
SecuriteInfo.com.Variant.Strictor.251080.14026.14761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Changing a file
Launching a process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/521130
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/90bfb4c6e4d0e4cfbc46e3f641045e47b917a6a5b6ade0e8314ce0ca1d7d6f67/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 21:15:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sc73jrxe2dsm7pcg4p3ecbc6i64rpjvfw2w6b2brjtqmuhl5n5tq._file
Verdict:
suspicious
Similar samples:
05c5ebfe7acb748d41d40eb6dad1c142635f5fe97958f6933fead63d723b0728
3e0a37f088d0afcb0d3528f6df73368d754f51c07acff855e1c991071cebd298
4748d8754858143f280c1022b3c01ddc0a81e9fdf04babe1e711ef09d73124b6
5026074cb8589625cc6579285ec7ec862f7f6c9616e3a1f5d61329520177cfb8
586a5c6bcf95f6049dc38661cff95eb5000a05ddad7ed07236bfdabee7ffd30f
6cebc20609d3d9a4f39599787371113c70cc5553f1d15555af232e557c2aacab
9f1bd2c46d3293044a04b58c4f9fdbe301cf6d2d5432c808b7e7310fe4544011
bdb09b8c5d9d6ee0e42047449dec605b61edc1f71ee6247b84f3c9a03669cffd
cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14
e1ec1bb7aa6dec1ced8de00080d6c7b26890b89af96e05fb81f806bef1464be6
+ 665 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-n4z7wk9g3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Drops startup file
Unpacked files
SH256 hash:
90bfb4c6e4d0e4cfbc46e3f641045e47b917a6a5b6ade0e8314ce0ca1d7d6f67
MD5 hash:
4535dce02275394a856649cb25682036
SHA1 hash:
3d80e3b78ddce5f00800d5350ffc37d353860a8d
Link:
https://www.unpac.me/results/ea07cade-2fd5-4a3c-8bd3-57666ca00ad8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 50c4f50631ff8568e8188029ee71a4745d9fe6f39c731eef8fab34f50b6df9e1

Executable exe 90bfb4c6e4d0e4cfbc46e3f641045e47b917a6a5b6ade0e8314ce0ca1d7d6f67

(this sample)

  
Dropped by
MD5 9831e149e33ff03b1452080ffd02616e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83133/
  
Dropped by
SHA256 50c4f50631ff8568e8188029ee71a4745d9fe6f39c731eef8fab34f50b6df9e1

Comments