MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
SHA3-384 hash: 8a83f024dc12d0c2f44810066731def623acfcf39f9cff5749ac305403a5b1367eb824576ad960a8e2dddd2bc5e2056a
SHA1 hash: f45852d339c30296fd0dc6cf0dfb5ba732a5db91
MD5 hash: aa282aa5bda67cd5f99a74764b881be1
humanhash: texas-failed-wisconsin-uniform
File name:Our New Order New shipment..exe
Download: download sample
File size:1'197'056 bytes
First seen:2023-03-20 07:25:05 UTC
Last seen:2023-03-27 05:28:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:Ml+yynEmDddbdTMmJU/PQuYXOK52OzJCKd89kgf0QRXnGo6:MnY+gkQZXt52O1CKGkTQRXV
Threatray 82 similar samples on MalwareBazaar
TLSH T1C8450158B698DB25C57E0BFAD03450F053376D65E622E34B9E8D3CDA3D327844A0AB93
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter adrian__luca
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Our New Order New shipment..exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 07:37:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d4149a5-e8d5-4af4-9dac-e1264f7c0f5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375785/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
75%
Tags:
packed
Link:
https://www.filescan.io/uploads/64180a8d3b01ade53e6f9976/reports/ba3beba8-d632-468f-a4be-a4bd25c90900/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ca6f2f6-59a3-4826-8b89-26177fa3eaa6
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197422
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-03-18 03:56:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
71
AV detection:
18 of 21 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=veo4uxzorhki7wyjwn57s4v6n33in5foqtxadolijk4wqbunbsjq._file
Verdict:
malicious
Similar samples:
0323277770dc3d499264c4dcac77e3f18164ae8d2409f1d503602b0c8b966ba6
0bd6d3905b8463f23246c3b7953239277f0ffbf0096367ca02dce1cc38cc4e27
163db4da78af3020f61a1d98aa27be9377038f4d254bfe84f19ce9c324c849fe
353a133b42bee88f0bc7c2fb4c5bcac42d1d63e5098c1c4bf881670c7dfa2c9e
3c10a2630cc7569328614192fc7e6fea9b15fc9a6d56f847eff860ba5ea15816
a8e34f0afa9d78ee85eaea3f14d16dd9180d4adc10d82dbd857394d5e2b3d9d6
cbda14adc5ddc1c7dcaab3718dd25805b8c0b720db8678715a754754a214e05f
de19b88c284dcc4b18ea43b7e4dc96679ea39dda05016869cfd2c0aac3132a1c
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/230320-h9j8jacc65/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
e9f5052261e8e0529ddbc43033cb2bc8ab73e06f9fe63e8d606d0b494559c9bf
MD5 hash:
604c8f2ef0593fa19d19a582a84b4f1e
SHA1 hash:
43a7df0740fe5817601f2d7858c23e5e113dcada
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
ca9291b91d6067d9293aea63d9f1e04378bea3cd2248a7a82539096d3de954f5
MD5 hash:
6b18fe6007bb0bb62bb4404e161ebac3
SHA1 hash:
b2070d363e470c9f637ba7516fb2f57f91366566
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
4ede4e151bc5b6a8227a955ec72c74fd6d0b926beac8dca1433d0e84e1703f78
MD5 hash:
7090e4731d2f9685c744c50c5885ef0c
SHA1 hash:
a40e57f9f8cbffd235192663852bb723e8b8f008
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
088290b50b69ffc2180d84227d3e4f5c038d10a3326be0281a43f970777eb8b9
MD5 hash:
1a7c0516b72eacdcaeb4e9907bda2c82
SHA1 hash:
540209aec60a3fce045b6353d578c055b24e5852
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
768177cb74f4da14474e61d66d6f0e3535ba4ad2cf61a2ac4de28d18061db58b
MD5 hash:
68db3784536c2c089d430da6e73d9f14
SHA1 hash:
2dbb634d5732c376bbb8b07357e431596880abdf
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
SH256 hash:
a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93
MD5 hash:
aa282aa5bda67cd5f99a74764b881be1
SHA1 hash:
f45852d339c30296fd0dc6cf0dfb5ba732a5db91
Link:
https://www.unpac.me/results/30670310-d00b-4ec4-87df-4d09e1076e5d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/375785/

Comments