MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197
SHA3-384 hash: bb628b181c377554471f081b131ca745b015202efb90f145708db4a328d5fb56bf81083416250e12b5bada5d73fdb6d1
SHA1 hash: 2def43269a55a6e0d4cab3ca9486c77c0e29cac1
MD5 hash: 6abb2287b6a858dbcfd46f31cb18295b
humanhash: nineteen-xray-carolina-may
File name:Payment Confirmation.pdf.exe
Download: download sample
File size:2'342'912 bytes
First seen:2021-12-08 11:40:35 UTC
Last seen:2021-12-08 13:35:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:s+2LvRMVy/GF3warFJgz8iejgdSkqZc7CYKtj5Stt4pdFHg/6:9oYQejgdbqYm5SX+xg/6
Threatray 133 similar samples on MalwareBazaar
TLSH T163B523BC3693E7CDD811A2353B6AD068527A2D7A0813C29AE0E9734F5A33705B973653
Reporter GovCERT_CH
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Confirmation.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-08 11:42:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ad44de2e-abcb-475d-9cad-c003e225d82d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/212454/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.11658.18331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fareit obfuscated packed
Link:
https://www.filescan.io/uploads/61b099d14d8e6f3a5e194e70/reports/5bd3f338-6035-474c-81fa-c20dafa5cf8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Hoetou
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7a7519f0-dd20-49a8-ab0f-e9bc34dada67
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/903798
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Creates multiple autostart registry keys
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 536276 Sample: Payment Confirmation.pdf.exe Startdate: 08/12/2021 Architecture: WINDOWS Score: 100 87 Multi AV Scanner detection for dropped file 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected AntiVM3 2->91 93 7 other signatures 2->93 14 Payment Confirmation.pdf.exe 3 2->14         started        18 Paint.exe 2->18         started        20 LookupSvi.exe 2->20         started        22 3 other processes 2->22 process3 file4 83 C:\Users\...\Payment Confirmation.pdf.exe.log, ASCII 14->83 dropped 135 Injects a PE file into a foreign processes 14->135 24 Payment Confirmation.pdf.exe 2 14->24         started        137 Machine Learning detection for dropped file 18->137 signatures5 process6 signatures7 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->105 27 Payment Confirmation.pdf.exe 2 24->27         started        30 BackgroundTransferHost.exe 24->30         started        process8 signatures9 117 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->117 32 Payment Confirmation.pdf.exe 2 27->32         started        process10 signatures11 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->85 35 Payment Confirmation.pdf.exe 5 32->35         started        process12 file13 67 C:\Users\user\AppData\Roaming\...\secdrv.exe, PE32 35->67 dropped 69 C:\Users\user\AppData\...\LookupSvi.exe, PE32 35->69 dropped 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->95 39 Payment Confirmation.pdf.exe 3 35->39         started        43 LookupSvi.exe 35->43         started        signatures14 process15 file16 79 C:\Users\user\AppData\Roaming\...\ProfSvc.exe, PE32 39->79 dropped 81 C:\Users\user\AppData\...\AeLookupSvi.exe, PE32 39->81 dropped 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->107 109 Injects a PE file into a foreign processes 39->109 45 Payment Confirmation.pdf.exe 39->45         started        48 AeLookupSvi.exe 39->48         started        111 Antivirus detection for dropped file 43->111 113 Machine Learning detection for dropped file 43->113 115 Creates multiple autostart registry keys 43->115 50 secdrv.exe 43->50         started        signatures17 process18 signatures19 123 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->123 125 Injects a PE file into a foreign processes 45->125 52 Payment Confirmation.pdf.exe 45->52         started        127 Antivirus detection for dropped file 48->127 129 Multi AV Scanner detection for dropped file 48->129 131 Machine Learning detection for dropped file 48->131 133 Creates multiple autostart registry keys 48->133 56 ProfSvc.exe 48->56         started        58 secdrv.exe 50->58         started        process20 file21 71 C:\Users\user\AppData\Roaming\Paint.exe, PE32 52->71 dropped 73 C:\Program Files\...\vchrome_proxy.exe (copy), PE32 52->73 dropped 75 C:\Program Files\...\vchrome.exe (copy), PE32 52->75 dropped 77 15 other malicious files 52->77 dropped 97 Infects executable files (exe, dll, sys, html) 52->97 99 Machine Learning detection for dropped file 56->99 101 Injects a PE file into a foreign processes 56->101 60 ProfSvc.exe 56->60         started        103 Hides that the sample has been downloaded from the Internet (zone.identifier) 58->103 63 secdrv.exe 58->63         started        signatures22 process23 signatures24 119 Hides that the sample has been downloaded from the Internet (zone.identifier) 60->119 121 Injects a PE file into a foreign processes 60->121 65 secdrv.exe 63->65         started        process25
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 20:45:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vz7sps2h7kw3ct6xnu3gtufkfpf7zt4k7mdnu5br6vnl2oa2cglq._file
Verdict:
malicious
Similar samples:
13b46d9524b436eb825c317fde69b0710f295ab95ead1e9d5c4babe39d9287f8
21c9724029e1b659d1b038844e6c76054d65bbd93fbd416bfe31a5449e835845
36ab2872a59101f4cecd684b557281dc264445c0e5624617883f304b31daedc2
42c52482e23a3a3d7fbcb511c15186a7cb98c6425c2de53e1eb50d58a31a056d
6d239a892a804362a597c30869e82a11f79c66f4fcfd368673027f84aeae3a95
9131f78f68a82c062393fb196cbedf6965f3179f8cead139c27c4325a4418ad2
9783848b6d9e835847a4fb4b8c8c4342798d19ab2c0fe679e6139826abf32989
b665faa659b655f16f4625fcada4b07288836ac80f91ac7eb88bf16b5a20c1b3
dbccb179b38bd0493f594f5a4bda348c397a70421d2d164144a6911863a478a1
e13cb852ef9d4d654e8614824087ac7298adcb602d6fbc4937ef2ef51642bfb2
+ 123 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211208-ntfhasaafn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
a5c50b98d18fc2687a9dee335742a1d0738c3aa21d212af563571336b8e13620
MD5 hash:
2684c88620aba00cbdc13a4aad9dd53c
SHA1 hash:
d3282d6bc451b7522c3056aaa494245ff670636b
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
645b339f8e74b96c421aa876d3d7a56419051024e9ac29c378679b387e6204a8
MD5 hash:
44142d1a1edc973dd0142a910a120380
SHA1 hash:
dc6cd08cb56b4b500d718418f5ba2d68c10890a2
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
bf8e7e7376483abee4047d5faffb00c34b0faa6551531c112dc422716eeadd32
MD5 hash:
ce490da769ea596e0ded5e50e2bccf99
SHA1 hash:
4382ebc9e5a7986df2a3bdb7c352d3d55703a4fa
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
2f7a005b9b83aec6dd19e6b53530745d9fdff0590ffca0a8ed8047dc11b3c335
MD5 hash:
927c0ce36865c9f2704cbe8c81c23e83
SHA1 hash:
cf7a9098ec615cdf62f7ccf127b1c71ed4e97550
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
ebdaf8b3455373f1e214b7e1bc3866e598270123fc05110e6af36f13aad7d53d
MD5 hash:
6c592156ecec344755c200d9bc860454
SHA1 hash:
8287502a10d374ac25e8712b954a24dca0cdd007
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
9fd9ae97b476042abcaae49dee6cb8463b5ccac3a2cdd7df2feb5bbf0d58ca6b
MD5 hash:
7a8fb2af99495ba9b0c3dbdf1cd350c9
SHA1 hash:
330327cf75d808cacf8375c6220b9ad83372f626
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
3d19152074cb90dd3df53dbfb60bb500e3305aecca986d6c91ea058d541bdafa
MD5 hash:
01a21bc538cc7f04c06843d3f85ec8c9
SHA1 hash:
fd28202c609c5648ba78d52544956c3329716ab6
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
c57394dcdf14ee5770166280e6c8535e990af404c7649cab7ba6156afe4d7983
MD5 hash:
5693725de20432aff515cacbf202b6c3
SHA1 hash:
e337f47898eeac202b08d859bd8292e4b88747c7
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
a8dcb3bbabfba6e7f22207492f4ff6d8976bb2bee502ce145ff0e8b33d7c42ae
MD5 hash:
4f328caa4aec70994c3f2250ae8702a7
SHA1 hash:
0f8c1b9315a9988adee3320ba77fde0e88e8774f
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
ebf8365b5484536ef4ac82eb327d27f3214e95aa9f67ec3710b977e7445cc363
MD5 hash:
78361e2afdfad994e9f5e6f5419da731
SHA1 hash:
238ecd2aaba12fce50eb7da83ae10a1241eefed8
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
80855df0d7e7629d1f16cfecb7270f7db3ae6c1e32973803330862e531e69a53
MD5 hash:
2ee37952c40f8681eb58af6196d117da
SHA1 hash:
10f1c59089e1485b1440a47fbde89172dd000a29
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
1a9959ea7deea1e64492c1e5b541c3e9c4075709d98602a2898eb93df5a5f503
MD5 hash:
eda3785ae32c0aaae694260344b0a195
SHA1 hash:
5433ff01fe2ef26798201c770fdea121bee5b61d
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
bcf654651c834ff5f885a6ab272d000aa48acea1ebe68ce146c68c863c4736a8
MD5 hash:
cf7e259dd0225ae86a29f5952bcb5b4d
SHA1 hash:
4c6b2363a754bcaa07edeee5b4837b464cfb5d5c
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
SH256 hash:
ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197
MD5 hash:
6abb2287b6a858dbcfd46f31cb18295b
SHA1 hash:
2def43269a55a6e0d4cab3ca9486c77c0e29cac1
Link:
https://www.unpac.me/results/f12f6aa3-2354-422a-b851-eb2b578be1f9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ae7f27cb47fa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe ae7f27cb47faadb14fd76d3669d0aa2bcbfccf8afb06da7431f55abd381a1197

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/212454/

Comments