MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
SHA3-384 hash: 00db8c2eb7b3d409c661f411178f2006564b6a757b11bde75f98795b770dd0fe256ef0a9527eb9a8ea02d011e9f70e62
SHA1 hash: 9a33ae3a28d651aa20d7b34a94722a589a4035e5
MD5 hash: ee859aa695a1f7026610e139afaec6f1
humanhash: blossom-monkey-helium-berlin
File name:PO 1002567005.....exe
Download: download sample
File size:716'172 bytes
First seen:2022-10-10 06:11:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 56a78d55f3f7af51443e58e0ce2fb5f6 (719 x GuLoader, 451 x Formbook, 295 x Loki)
ssdeep 12288:dNe1QFYm94oUhIH0DOjDO6D7zkoT+lqp/7Iu/O2ybZx9Y9rl7jjGHD:dNeu3TUG0KjDZlT+lQTD/O3BArRCHD
Threatray 205 similar samples on MalwareBazaar
TLSH T161E4227837418366EF639E39CB2F722D9AB58C6605D0E12ACB0EBFBC2CF55524D25244
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 125ad212e9cd3682 (40 x AgentTesla, 21 x Loki, 19 x Heodo)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/318146/
Detection(s):
SecuriteInfo.com.Trojan.NSISX.Spy.Gen.2.6896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
DNS request
Reading critical registry keys
Sending an HTTP GET request
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/42144/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6343b7b781eef2a234c4acfa/reports/32c6495e-a5ea-4edc-af5c-a354fe0973b2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66507fcd-1b6e-478e-9245-9884f0fda122
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1087628
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720206 Sample: PO 1002567005.....exe Startdate: 11/10/2022 Architecture: WINDOWS Score: 68 34 Antivirus detection for dropped file 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Machine Learning detection for sample 2->40 8 PO 1002567005.....exe 19 2->8         started        process3 file4 24 C:\Users\user\AppData\Local\...\futamxqy.exe, PE32 8->24 dropped 11 futamxqy.exe 244 8->11         started        process5 file6 26 C:\Users\user\AppData\Local\Temp\FEFB.tmp, PE32 11->26 dropped 28 C:\Users\user\AppData\Local\Temp\FE87.tmp, PE32 11->28 dropped 30 C:\Users\user\AppData\Local\Temp\FE2F.tmp, PE32 11->30 dropped 32 241 other malicious files 11->32 dropped 14 MpCmdRun.exe 1 11->14         started        16 futamxqy.exe 11->16         started        18 futamxqy.exe 11->18         started        20 33 other processes 11->20 process7 process8 22 conhost.exe 14->22         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-10-05 23:30:26 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucvmhxcygibgupis2uhtyopjrcrtjwd6ul6i7pgr74zuqrqg2ljq._file
Verdict:
malicious
Similar samples:
51571264ea17f6eb11267797cfd17a462c408580ecbfd10587dd8f848a79e15f
57c9630ff4575c0881314c5f31f4177249c84218642cef6c3896fbc6337c380a
594d61a4bcbcc6503743aae78c47f798557492ba9c0704c3aa188f528b50c5e3
63dd0a2a872fe7368088cd4916ed199f6ead9c5f5843facdcaa578bb68dedd57
6a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
83327640b003bbdb759074d1e9925381bcb661a35b531b3d9832435ae80298ac
886581e4b23e851f4244fb1a1d028e0ba1ed11d5b85868519cc606a40a06457c
a233b76767157c012c4d1ec34726d87ea1efac01e49efd9fef394c7e84966103
d79a379ce1fcbe1e3548dfde37f6c2591f2ebf8de6c0d0db6f282933e529cf53
e510aadd7609c9ec1e54c9b8c036c9a10dfe8ef9c67feb54f1b30399a7605c4d
+ 195 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/221010-gx614aagd2/
Behaviour
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/41d02d4e-6131-4550-a4fb-ad6ab6afc657
Unpacked files
SH256 hash:
c0e1bbe2304d89804673b63a17416041e299c2773aceec70759f1094829b189e
MD5 hash:
47c9aaa4eef6e3ace27ccbde29a5c848
SHA1 hash:
dfbc78c9b2ad768bb8946cd2d12e389258329a9f
Link:
https://www.unpac.me/results/471bab3a-c1d1-4150-8f3d-116825bdc57e/
SH256 hash:
595f8e51fbe326d278c78011343470ce97f5d655ad657023a4ba5edc79006a4d
MD5 hash:
afd61ed83d724ee7e4459b7526109c2f
SHA1 hash:
458f66512e5ba13b3777266528767935fa57028e
Link:
https://www.unpac.me/results/471bab3a-c1d1-4150-8f3d-116825bdc57e/
SH256 hash:
a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3
MD5 hash:
ee859aa695a1f7026610e139afaec6f1
SHA1 hash:
9a33ae3a28d651aa20d7b34a94722a589a4035e5
Link:
https://www.unpac.me/results/471bab3a-c1d1-4150-8f3d-116825bdc57e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe a0aac3dc5832026a3d12d50f3c39e988a334d87ea2fc8fbcd1ff33484606d2d3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/318146/

Comments