MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f
SHA3-384 hash: 30b61001a3e5297844c7fc5652a7fd860d523ddde61b0499e0e5caf93548321f6be8f495bb18d07c8b3386e0563bb037
SHA1 hash: 0e8a7d94476f3ff1aefc91cb45e3f6b172426a87
MD5 hash: fdea49f0be1d70b6f8d379898a3c88b4
humanhash: bacon-mango-queen-carolina
File name:QUOTATION.exe
Download: download sample
File size:1'576'960 bytes
First seen:2020-11-07 09:57:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2f095340e94ca508e3b83fb009ebf4cc (18 x Renamer)
ssdeep 24576:3cCT67wHqWis4l+jIACFr5hqjiLDpSJDN93pqb6W8cU4gLQUA:sCpn8t74iA3qb6W8cU4f
Threatray 563 similar samples on MalwareBazaar
TLSH 4D75010B9EEF116BFC552B71D02548B310FBF9F60E464722F6E1E60D2A30FA165384A6
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: usa.dupont.com
Sending IP: 156.96.107.215
From: GREG BARDIN <gil.meyer@usa.dupont.com>
Subject: QUOTATION_ Order List (PO# 081927)
Attachment: QUOTATION.r13 (contains "QUOTATION.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Ponystealer-6733035-0
Create hunting rule

Win.Trojan.VBGeneric-6989114-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/523722
Signature
Antivirus / Scanner detection for submitted sample
Found potential dummy code loops (likely to delay analysis)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f/
Threat name:
Win32.Trojan.DistTrack
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 17:01:38 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6tlgpnfxuokxkf7c3a2mrl33kfvbtgclukusyxfhvbxvdbvmypq._file
Verdict:
unknown
Similar samples:
53174a644680154786d09b66cc8c4a1aa83c625bd10137600bf191573fa5c602
67f4f7cc31f0ceaa09aee924d8930f653f2af08870b66ae7b4258200908a3c9a
686eca2834dd77a34fa608e4cd4507c6ac57613a41a705ad848b81fe8dbfcec4
93a1f0fa0637acd096c86ec4d7d3c6f73f689bf41f3cd16b5e5bcce48dcdc540
ab703a3bc7d05c62bcc127febfd82a7903a47f45664b5195ada070eb748d5b25
b6177b19a010725f003f7828862f9217af33f3b38a517a40c94c7e8174a91c95
be98190a6bf8bc5b3781fd7e68b8d57d5a0bc2b9c66a7106dd32495b44a9154d
d488fdd8ec36dfc1fdb311acf96de17d0a2a06ee3ef24eafc5a3d61708889f8a
e49bdc779eeaa52e085b217a5efe13fbdccce4d33c6b640ddfde03d607a30bde
e78fc612cad822b8532351787c4da091dd4ddbfc499d3563050b21c6ba5c0fef
+ 553 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201107-3xqpczbezn/
Behaviour
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f
MD5 hash:
fdea49f0be1d70b6f8d379898a3c88b4
SHA1 hash:
0e8a7d94476f3ff1aefc91cb45e3f6b172426a87
Link:
https://www.unpac.me/results/78820b1e-116e-43e8-8bc0-5c146d1f7776/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Embedded_PE
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar d9f60ff7459183f2c8952d79bf7c0c9cca38d6f17f55af7c13372f2b2a6409ad

Executable exe 97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f

(this sample)

  
Dropped by
MD5 4bc54f0b3709ff332b18c60240b141b4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d9f60ff7459183f2c8952d79bf7c0c9cca38d6f17f55af7c13372f2b2a6409ad

Comments