MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2
SHA3-384 hash: 9745f79d05c134f16b282275b15dc7520c5bef91c1e9034ac5fea242ea1da7e358174236fde87923390099cbc4e5d5d2
SHA1 hash: c118269debaa79341968895fe21080d5faacdc57
MD5 hash: 7e25d0c57fc2fa19ec71605dd231a1da
humanhash: bacon-timing-mirror-fourteen
File name:Order Confirmation 7301438.exe
Download: download sample
File size:430'080 bytes
First seen:2022-12-12 14:25:59 UTC
Last seen:2022-12-16 19:37:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:s7bItJ0fh+uHgrfjrNSK/yL0ixthcpbqk2ai59rF92Yxhd4A3mvCIWcqJIBic6L8:s3+uAheYpWk8m2hd4A3i7OHDR/4lN
Threatray 789 similar samples on MalwareBazaar
TLSH T15194F1F373AC77D8C40B79395903E5F78C048076CCE6926261C261664CA6F49BF6AE72
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Reporter James_inthe_box
Tags:exe

Intelligence

File Origin
# of uploads :
6
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order Confirmation 7301438.exe
Verdict:
Suspicious activity
Analysis date:
2022-12-12 14:28:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/60dbac92-ec5a-4885-877e-c55d687e139e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/345460/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.55409.24699.23266.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/639739fc9a505ad9423f341d/reports/ac85e021-89a9-4779-992e-b3f0fa74fd8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/78a747e5-64c7-40a0-8454-a96f36a0d11d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1132693
Signature
.NET source code contains very large array initializations
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2/
Threat name:
ByteCode-MSIL.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2022-12-12 09:50:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v52a44x5yu3lsnitr7tjotr4jj55tflk432hxodcophusns4mlja._file
Verdict:
malicious
Similar samples:
03c8ae088d9b5ed64de0ac1782f3b2a9ee31ebd3597d03f285a0c31b9e6ef25f
292234b4e44187b5549566ead6297f05dc6b40310e4f1b1384ce190a79891117
30b9abba303c9e7186148b7a36e0f6c8ba15fba0a266fd4bae27690219231cad
473e99cdf2dc25a6bf43a56e9b095639776294bea38321c079cceecb3678c28d
4911e766770f8f08977e5854fe87bef96d29e80b8c5a0ef483d362d18c9941dd
66bfc82c4f69f36538f7ff9f5949f72288805850f4b64980c17ec930c6baf224
7a3d9a2e7fbcdd35fa3c5c195892b4c7940c669cde48def4832aa7e91736d532
81b35baa6211c517fbe57749520eaf024a4f76b5aa7c90e63e509095e0a665a3
c00660379db4da598cf59eeb74ae9a686803cc4296cbde73a61c988cf87e1d44
fe5734f6621e30a2686219f31e5ebcca7e7851e8a572baf1463551de0d72d4ea
+ 779 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/221212-rrt5fsec2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/facb34d8-3ce5-430c-a0fb-ad8e0d88a808
Unpacked files
SH256 hash:
af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2
MD5 hash:
7e25d0c57fc2fa19ec71605dd231a1da
SHA1 hash:
c118269debaa79341968895fe21080d5faacdc57
Link:
https://www.unpac.me/results/173e1b27-4fb7-4eb7-a187-051f8af58042/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip b4d4f81eb7efc6aec8a7eb05c21da69e61ab1fe0e5a518e201bcfee48a87a416

Executable exe af740e72fdc536b935138fe6974e3c4a7bd9956ae6f47bb86273cf49365c62d2

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/345460/
  
Dropped by
SHA256 b4d4f81eb7efc6aec8a7eb05c21da69e61ab1fe0e5a518e201bcfee48a87a416
  
Dropped by
MD5 380450f7a7f42b562a1a30d586e7730f

Comments