MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments

SHA256 hash: a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
SHA3-384 hash: b689878446af11b10a4402ff73f94555bfa0dbbab8292c9b26a651af96629b2b3afe6576f88714b829236b4f6a02c690
SHA1 hash: 59424ba83c93fa38f7e074a9d4eefc0d0ab2ca17
MD5 hash: c869b0fe739d0626e4474eea980dd018
humanhash: moon-september-spring-oregon
File name:a464781b616c86bbd68dbf909826444f7fd6c6ae378caf074926df7aebc4e3a1
Download: download sample
File size:152'576 bytes
First seen:2020-08-25 14:15:03 UTC
Last seen:2020-08-25 15:06:00 UTC
File type:Word file docx
MIME type:application/msword
ssdeep 3072:Vm95J7iroXgZ750U1WFRcDeGPGBSrr4zOoqnNwWwF9E:kJ76KQ7mUccDNRr4i
TLSH 6DE39D4272D7AD5BD12A0D386CF293483CB5BCA66C09E35B62E63E2C3436AF48D5170D
Reporter JAMESWT_WT

Intelligence


File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Launching a process by exploiting the app vulnerability
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
76 / 100
Signature
Antivirus / Scanner detection for submitted sample
Connects to a URL shortener service
Document contains an embedded VBA macro which may execute processes
Document exploit detected (process start blacklist hit)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 277009 Sample: MCLpK6ef08 Startdate: 25/08/2020 Architecture: WINDOWS Score: 76 32 www.bitcoinargentina.org 2->32 34 bitcoinargentina.org 2->34 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Machine Learning detection for sample 2->50 52 2 other signatures 2->52 8 WINWORD.EXE 38 41 2->8         started        12 explorer.exe 2->12         started        14 iexplore.exe 18 89 2->14         started        signatures3 process4 file5 28 C:\Users\user\AppData\...\MCLpK6ef08.doc.LNK, MS 8->28 dropped 30 C:\Users\PublicxLink.lnk, MS 8->30 dropped 54 Injects code into the Windows Explorer (explorer.exe) 8->54 56 Document exploit detected (process start blacklist hit) 8->56 16 explorer.exe 1 8->16         started        18 cmd.exe 1 12->18         started        20 iexplore.exe 6 216 14->20         started        signatures6 process7 dnsIp8 23 mshta.exe 15 18->23         started        26 conhost.exe 1 18->26         started        36 www.bitcoinargentina.org 20->36 38 pagead46.l.doubleclick.net 172.217.21.2, 443, 49785, 49786 GOOGLEUS United States 20->38 40 12 other IPs or domains 20->40 process9 dnsIp10 42 drive.gogleshare.xyz 23->42 44 bit.ly 67.199.248.10, 443, 49720 GOOGLE-PRIVATE-CLOUDUS United States 23->44
Threat name:
Script-Macro.Downloader.SLoad
Status:
Malicious
First seen:
2019-01-14 21:05:31 UTC
File Type:
Document
Extracted files:
19
AV detection:
28 of 47 (59.57%)
Threat level:
  3/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Behaviour
Office macro that triggers on suspicious action
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments