MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a
SHA3-384 hash: bc06c9a4b7c2bec29b8f4f6392e2df250e85f512e98cad3da5be2cd6d16a7c72c73c933d1734ef7ea885da5d383fb495
SHA1 hash: c28d982f663b90e9fe3c7ac22f91989c0f6a3497
MD5 hash: 2270c380c168a321b817680fdbc97c1e
humanhash: tennessee-happy-nuts-minnesota
File name:IMG-30885751234509878987656789876567-497534.exe
Download: download sample
File size:433'152 bytes
First seen:2020-11-09 16:10:52 UTC
Last seen:2020-11-09 17:45:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b92468b23209cac42d9c3c0c1d3de70 (9 x AgentTesla, 4 x AsyncRAT, 1 x Matiex)
ssdeep 12288:xH7AIfRpjh4H6WYO4D291E7y94qm21fsbV2to1f:xH7Jpj9DE1WyGSmQto1f
Threatray 3'186 similar samples on MalwareBazaar
TLSH 6E94F024B1F3C473C4B211B841584B7798B63D31077550BBBBE80E4E5E74BE09B66AAB
Reporter abuse_ch
Tags:exe Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-799617.hostwindsdns.com
Sending IP: 192.236.146.33
From: Al Shidhany <alshidhany@arabienertech.com>
Subject: Re: ORDER CONFIRMATION
Attachment: IMG-30885751234509878987656789876567-497534.IMG (contains "IMG-30885751234509878987656789876567-497534.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.1087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Modifying an executable file
Creating a window
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Reading critical registry keys
Moving a recently created file
Replacing files
Deleting a recently created file
Sending an HTTP GET request
Sending a custom TCP request
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526715
Signature
Binary contains a suspicious time stamp
Drops PE files to the user root directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312452 Sample: IMG-30885751234509878987656... Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected Generic Dropper 2->68 70 6 other signatures 2->70 9 IMG-30885751234509878987656789876567-497534.exe 3 2->9         started        13 IMG-30885751234509878987656789876567-497534.exe 2 2->13         started        15 IMG-30885751234509878987656789876567-497534.exe 2 2->15         started        process3 file4 50 C:\Users\user\AppData\Local\...\guntad.exe, PE32 9->50 dropped 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->76 78 Drops PE files to the user root directory 9->78 80 Drops PE files with benign system names 9->80 17 IMG-30885751234509878987656789876567-497534.exe 2 9->17         started        19 conhost.exe 9->19         started        21 IMG-30885751234509878987656789876567-497534.exe 9->21         started        23 IMG-30885751234509878987656789876567-497534.exe 13->23         started        26 conhost.exe 13->26         started        28 IMG-30885751234509878987656789876567-497534.exe 13->28         started        82 Maps a DLL or memory area into another process 15->82 30 IMG-30885751234509878987656789876567-497534.exe 15->30         started        32 conhost.exe 15->32         started        signatures5 process6 signatures7 34 IMG-30885751234509878987656789876567-497534.exe 2 17->34         started        37 IMG-30885751234509878987656789876567-497534.exe 17->37         started        74 Maps a DLL or memory area into another process 23->74 39 IMG-30885751234509878987656789876567-497534.exe 23->39         started        process8 signatures9 72 Maps a DLL or memory area into another process 34->72 41 IMG-30885751234509878987656789876567-497534.exe 2 14 34->41         started        process10 dnsIp11 54 mail.chenklins.com 41->54 56 chenklins.com 89.45.67.200, 465, 49732 BELCLOUDBG Netherlands 41->56 52 C:\Users\user\explorer.exe, PE32 41->52 dropped 84 Installs a global keyboard hook 41->84 46 explorer.exe 15 4 41->46         started        file12 signatures13 process14 dnsIp15 58 147.75.47.199, 49714, 80 PACKETUS Switzerland 46->58 60 51.143.5.0.in-addr.arpa 46->60 62 2 other IPs or domains 46->62 86 System process connects to network (likely due to code injection or exploit) 46->86 88 Multi AV Scanner detection for dropped file 46->88 90 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 46->90 92 4 other signatures 46->92 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 13:05:53 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stiyid4tevznclwg3eaxoev4wd4tpzaesxvgtga3ccn6wmr3wnfa._file
Verdict:
unknown
Similar samples:
0474ef132fa630cd40a4176e25893fd71f787f48c2516421a56ec21a39eba382
26d95099636e212fccb35c4865a6aaee393079698b6c3a6f0a07ef2960a845b0
2719edd4501aae5818bb22c68a542d8a872fde8088175796674d3512445a4556
2b640d34fadaa474ab458cc7a312396ea6b58f269df9115dd934d79d1c869c32
518628a52655227136f54842d662c8dfea11f017ac7ef02fd1d87080bbcbc831
6a5303bb0ea9067e348cb7bee1db4740682b5a3e37822d09d9b80783f64a5569
923fb7b3ff414a712d72ebe1d904806a0ae7a3d026d1275553dfa8e6a10fcee7
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
f1ffd3c13b7bd7f498e8b718d46509a14bf571c5783d4281adcfafe13291e1fd
fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe
+ 3'176 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-r9dd2r6682/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Renos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img ceafc5cdbce1d2618050296bc870b3aeb16fc458f214269dd87ea14cfb82f2f7

Executable exe 94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a

(this sample)

  
Dropped by
MD5 8ac7397c3daf258cea34eaf91710662c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ceafc5cdbce1d2618050296bc870b3aeb16fc458f214269dd87ea14cfb82f2f7

Comments