MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a56dd4e72295bf7c79d989c938c8be1f6b0c7f3615c4ca1ceb44e3ebe2d780bb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a56dd4e72295bf7c79d989c938c8be1f6b0c7f3615c4ca1ceb44e3ebe2d780bb
SHA3-384 hash: e685b1d8ba9358ccbdde3d7f56e1c4eef5c08b8de11d876bf5f148166455a21f874b09a9384cc77f32a2733adb433d07
SHA1 hash: a27e34eb56040afad8e307d53c06e139dca22905
MD5 hash: 09345962793d76969d8c457917a63a89
humanhash: mobile-pluto-cold-oven
File name:Purchase Order.exe
Download: download sample
File size:829'440 bytes
First seen:2021-02-24 06:55:58 UTC
Last seen:2021-02-24 09:04:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:iu8aySCiSdWunLEQiydW+PWk7iWriyfpbkukWO8JxdeWXR/05pG2mJ02NfM0486p:i/yIxwktNfq84d
Threatray 6 similar samples on MalwareBazaar
TLSH 0A05F70716A8BF57F9BE9738E36446098BF4F456E320CB0E7DE069D98A36F418616703
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: shengda-alu.com
Sending IP: 185.136.159.208
From: David R.E. Hale <sales@shengda-alu.com>
Subject: Re: Purchase Order
Attachment: Purchase-Order.cpio (contains "Purchase Order.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Purchase Order.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-24 07:09:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/effd5353-3c72-497b-84bc-368a7903f367

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118845/
Detection(s):
SecuriteInfo.com.W32.MSIL_Kryptik.CUA.genEldorado.21221.17006.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/616206
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357107 Sample: Purchase Order.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 80 28 Sigma detected: Scheduled temp file as task from temp location 2->28 30 Yara detected AntiVM_3 2->30 32 .NET source code contains potential unpacker 2->32 34 5 other signatures 2->34 7 Purchase Order.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\...\XmjtianZRVnfjX.exe, PE32 7->20 dropped 22 C:\...\XmjtianZRVnfjX.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp6431.tmp, XML 7->24 dropped 26 C:\Users\user\...\Purchase Order.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 Purchase Order.exe 7->12         started        14 Purchase Order.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a56dd4e72295bf7c79d989c938c8be1f6b0c7f3615c4ca1ceb44e3ebe2d780bb/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 06:56:17 UTC
AV detection:
6 of 47 (12.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvw5jzzcsw7xy6ozrhetrsf6d5vqy7zwcxcmuhhlitr6xywxqc5q._file
Verdict:
unknown
Similar samples:
2d485079e6ea5f70104e6a625cd6a3afc285e80c6b48ace8cc1c78b131d89897
3bef507a02758532f025b9e26a73e2cc2350e38ad47c21a73c1329a8648efed9
536658ca5cd0cfe41706073016c38e8aa40949b897e0fc68dc821ea842c85e77
c9250dd03b2e189b23024d6c491fcf636a6480c4e9c078e6dbe91802779a1846
e418958dc7d42216f8f151aef40df718df0a6a20d7d70c9954f7bd82953707a7
ff3f86e0516f848f1a75847b807e00503530968fbd656b88236109735f225688
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210224-zm1vnakkhe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
68b716109ff4e18e21bd0acacb3796f7930771d19f6a766d7d3aa0bbde4ce7e0
MD5 hash:
a3d1d373062f59282307d4b9966d702b
SHA1 hash:
60c9c330e6ff63d3e0b3b0b700ac37bde5997ced
Link:
https://www.unpac.me/results/e78e14e8-35b6-4579-94ae-b9e692bbb3a7/
SH256 hash:
a56dd4e72295bf7c79d989c938c8be1f6b0c7f3615c4ca1ceb44e3ebe2d780bb
MD5 hash:
09345962793d76969d8c457917a63a89
SHA1 hash:
a27e34eb56040afad8e307d53c06e139dca22905
Link:
https://www.unpac.me/results/e78e14e8-35b6-4579-94ae-b9e692bbb3a7/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

unknown 4589548efeb9bc98b450dbd9d639699821fa17692b830644d8e9982226c6559c

Executable exe a56dd4e72295bf7c79d989c938c8be1f6b0c7f3615c4ca1ceb44e3ebe2d780bb

(this sample)

  
Dropped by
MD5 615dc5fa3109be3acb3ff07d7d62854a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4589548efeb9bc98b450dbd9d639699821fa17692b830644d8e9982226c6559c
Cape
Cape
https://www.capesandbox.com/analysis/118845/

Comments