MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
SHA3-384 hash: badf58b511f4bc847962eeda529aae303a97fbf81b1379a67315c29f91432951022250e1b13b6e155c11082c71550301
SHA1 hash: 46104df79485e75939eed5ef2f32ec0c3ba80df3
MD5 hash: a00d8a6793b3ff70ba375aec4eb40df4
humanhash: eleven-network-lima-hotel
File name:WaybillDoc_5736357561.pdf.exe
Download: download sample
File size:1'631'232 bytes
First seen:2021-04-22 06:13:17 UTC
Last seen:2021-04-22 07:19:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:oR9PF2oORgt9GHfhrJ9KWzR0YCnyAgsBSmzpq8RRRRR5q:8ajfht+Y2yA5Bzpq8RRRRR
Threatray 4'327 similar samples on MalwareBazaar
TLSH B275E141B2A9C8BAD41723F1D896F5F41291AD48EE22952F359FBE1F75B33421093E0B
Reporter theDark3d
Tags:malware zmutzy

Intelligence

File Origin
# of uploads :
2
# of downloads :
210
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WaybillDoc_5736357561.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 07:34:46 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/3157982a-3adc-430f-9797-81b5b6167f64

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143528/
Detection(s):
SecuriteInfo.com.Scr.Malcodegdn30.9178.29308.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/692512
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 395194 Sample: WaybillDoc_5736357561.pdf.exe Startdate: 22/04/2021 Architecture: WINDOWS Score: 100 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 Yara detected AntiVM3 2->41 43 5 other signatures 2->43 8 WaybillDoc_5736357561.pdf.exe 3 2->8         started        process3 file4 29 C:\...\WaybillDoc_5736357561.pdf.exe.log, ASCII 8->29 dropped 45 Detected unpacking (creates a PE file in dynamic memory) 8->45 47 Injects a PE file into a foreign processes 8->47 12 WaybillDoc_5736357561.pdf.exe 1 15 8->12         started        16 WaybillDoc_5736357561.pdf.exe 8->16         started        18 WaybillDoc_5736357561.pdf.exe 8->18         started        20 WaybillDoc_5736357561.pdf.exe 8->20         started        signatures5 process6 dnsIp7 35 secure.emailsrvr.com 184.106.54.10, 465, 49727 RACKSPACEUS United States 12->35 49 Tries to steal Crypto Currency Wallets 12->49 51 Installs a global keyboard hook 12->51 22 InstallUtil.exe 15 16 12->22         started        25 AppLaunch.exe 12->25         started        signatures8 process9 dnsIp10 31 api.anonfile.com 45.148.16.46, 443, 49724 OBE-EUROPEObenetworkEuropeSE Sweden 22->31 33 anonfiles.com 172.67.191.178, 443, 49725 CLOUDFLARENETUS United States 22->33 27 WerFault.exe 25->27         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 06:49:46 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=voqbdnpyg6j45pa47nfb545ozo5hupvhm2v3iwjwhmwyxni7hbta._file
Verdict:
suspicious
Similar samples:
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
32672928863af3e154d0e2cc454c5fd31f217a3bfabc7acff2223bb72a5bbe6f
340a639e1ec7cb2afa90a2aba177b368e13efc4dd1313e32af30b6ceb259f7d3
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f
a2bd87a81b3cc4f40cc8f1e6ba1111a010ad3970b4dff9e98c729142af28b823
d4577b6598fbbf11cfa28b876e1bcb6eaaaa256a8a3f1e82a88ae561854da9ad
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
+ 4'317 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210422-v2emwffd2e/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143528/

Comments