MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf
SHA3-384 hash:	58860acef08742f71660a48e920872ad9bb97d5ab5f28f9c3f25186a11346fb4230f6c861711bfa3dbe9a244057f6f55
SHA1 hash:	2e618174d09b00abc16d34bff7b646e036adf253
MD5 hash:	43dc1d7eeef9b4ca0d455404b12c34c8
humanhash:	kitten-princess-double-orange
File name:	工作报表.exe
Download:	download sample
File size:	821'348 bytes
First seen:	2023-03-31 15:55:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cfda23baf1e2e983ddfeca47a5c755a (33 x RedLineStealer, 6 x Dridex, 5 x NetSupport)
ssdeep	24576:Sny/f9uCOXP25JiBvuXwKhbBh4iv/IVVWX77Sj+ithPW1:XF0IJSmgaVhvv/IVKyj+d
Threatray	355 similar samples on MalwareBazaar
TLSH	T11D05126234D1C073C5530970C6A8E772E6B8F9354A76298BBFD04F2DBF61A62C216793
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	cdabae6fe6e7eaec (20 x Amadey, 9 x AurotunStealer, 8 x CoinMiner)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

262

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

工作报表.exe

Verdict:

Malicious activity

Analysis date:

2023-03-31 15:58:39 UTC

Tags:

loader

Link:

https://app.any.run/tasks/4f0fb100-9655-4208-ae20-49f3e651d292

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/379080/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop7.53194.14125.546.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Creating a file in the %AppData% subdirectories

Sending an HTTP GET request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed packed packed shell32.dll

Link:

https://www.filescan.io/uploads/642702945a075383fbfec45b/reports/a74ee053-c844-4bfa-90ef-7bc17f0bc64c/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/eb2680d6-3b60-44d7-bc44-6bd1b383d5cf

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1205990

Signature

Detected unpacking (changes PE section rights)

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

PE file has a writeable .text section

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf/

Threat name:

Win32.Trojan.Fragtor

Status:

Malicious

First seen:

2023-03-31 15:56:10 UTC

File Type:

PE (Exe)

Extracted files:

212

AV detection:

15 of 24 (62.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uhxikxuxlw4jk5cw7rqmgpvqic333qx7phn5s6m7g6ne3sw6og7q._file

Verdict:

malicious

02384895e3cc26b4844744ad987dcbad59a24f03053a5f4f82af768767aac548

046790ee0a686933cd5104cf204067df20b5cdc70d048327b20c2683a3a74570

4e90491d7bfcb50079a2fc9795b8ae9c4bd9ee5b26913b075ea248f953c6b910

71a0f84fc97d3ea8ecdc9dc19e058fe994e3cecf826f3db462c4995d8ee6dacb

7aec9cc59a59492ef083e1ffb33acc09f901bb2b4697107ebc5ab8d41ce99592

b9ba3633e6ae613c553bb7311affb973b5d3c5f41de5a9e5f1b048cb2cda8a34

d46dbbb40bf11bda9b1aa74d9d2550a73ab0ae6008270c2c541153cd4974a3dd

+ 345 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

aspackv2

Link:

https://tria.ge/reports/230331-tctaqabc65/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

ASPack v2.12-2.42

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Downloads MZ/PE file

Unpacked files

SH256 hash:

db40a1f02647886664ff87d83d36acbcb2037bf90f17de037fdaa66f3e29db89

MD5 hash:

6d594f8d95287a5cdc6196ba063a4633

SHA1 hash:

50f32c1575a590d2cd893f002fa4074fa0ea6a53

Link:

https://www.unpac.me/results/fea2290e-1502-488e-a935-e2986e6ff0f0/

SH256 hash:

c5b1ff98a590d63ba21f980c52f8c4430fa27f0d5c176f654b124bea4d3e33dc

MD5 hash:

eb73c9ff1e7423fe5a5e44286f029893

SHA1 hash:

2abd5e559ad3ad20446bf00e0bf99f2a2ef8db4f

Link:

https://www.unpac.me/results/fea2290e-1502-488e-a935-e2986e6ff0f0/

SH256 hash:

711757827c4995133139c51628d0b6a4bd47c6a0b6ececfc5b5dadd99b72bc89

MD5 hash:

1edb97f3c1191219da2760575ab1edae

SHA1 hash:

c681cbc2c555e64140563d5eef9d55ec8f848f3e

Link:

https://www.unpac.me/results/fea2290e-1502-488e-a935-e2986e6ff0f0/

SH256 hash:

a5b180931c07f5d51814591f8faa31e10e2385b9405b59f7a2dce9c19aff945c

MD5 hash:

5db9ddde3095ac048b6b90d63e38ce43

SHA1 hash:

5d7f5d54a42bdc30c5c61ce740719eeccc09cb34

Link:

https://www.unpac.me/results/fea2290e-1502-488e-a935-e2986e6ff0f0/

SH256 hash:

a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

MD5 hash:

43dc1d7eeef9b4ca0d455404b12c34c8

SHA1 hash:

2e618174d09b00abc16d34bff7b646e036adf253

Link:

https://www.unpac.me/results/fea2290e-1502-488e-a935-e2986e6ff0f0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_EXE_Packed_ASPack Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with ASPack

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe a1ee855e975db8957456fc60c33eb040b7bdc2ff79dbd9799f379a4dcade71bf

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/379080/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample