MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e
SHA3-384 hash: 6ce9e06f07c382e8f732ade091d71107f72b3ac4c479eaef80ade5e1d1bc97ca0019769343b67dd6c24c82f5496ca823
SHA1 hash: 7b85f753de998c8d316ba42a7463a1dba423451b
MD5 hash: 0a40d098f4fb7d38442aa7824cb2d01c
humanhash: queen-vermont-victor-michigan
File name:purchase.pdf.exe
Download: download sample
File size:664'238 bytes
First seen:2020-12-09 11:04:08 UTC
Last seen:2020-12-09 13:02:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 12288:Ehxp3lZnT9bDxo9Vokpl+vTvQribgsWKWCeMFw3GMy2fnB6IVUDZ:EJlh9bD6zGw1TQrZ
Threatray 332 similar samples on MalwareBazaar
TLSH ACE45AD0B980C8B7EDA307F62C6AC62024797D5C49E5860D76953E2B76B2343206FE5F
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
purchase.pdf.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-09 11:31:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/243d8185-d080-45f9-b7bc-f908efd0c21f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107457/
Detection(s):
SecuriteInfo.com.Heur.716.24426.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Launching a process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/558939
Signature
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 328572 Sample: purchase.pdf.exe Startdate: 09/12/2020 Architecture: WINDOWS Score: 64 33 Multi AV Scanner detection for dropped file 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Uses an obfuscated file name to hide its real file extension (double extension) 2->37 39 Initial sample is a PE file and has a suspicious name 2->39 8 purchase.pdf.exe 3 10 2->8         started        process3 file4 27 C:\Users\user\AppData\Local\...\purchase.exe, PE32 8->27 dropped 11 AcroRd32.exe 39 8->11         started        process5 process6 13 RdrCEF.exe 63 11->13         started        16 AcroRd32.exe 8 6 11->16         started        dnsIp7 31 192.168.2.1 unknown unknown 13->31 18 RdrCEF.exe 13->18         started        21 RdrCEF.exe 13->21         started        23 RdrCEF.exe 13->23         started        25 2 other processes 13->25 process8 dnsIp9 29 80.0.0.0 NTLGB United Kingdom 18->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wnu5vd5dv56uqlc4qhsdprmdrdskxhp6gy5nwfqzpogicm73ibxa._file
Verdict:
malicious
Similar samples:
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
4f79aa8d648c5a999fb91196040b6b68db284ba1b892217563df71db9ae477f3
66fec3cb320e4c0e2ac1dde740bc27c8a4b2b1a81b6ae77951e66ec032461e31
76299e863b71caed1b9950d904d1b52a8174b9077c9d4bc896276881caa46fad
79c4986448ffc1aeb0ef56cc0013063b008c34359f536c8e8e30aa307e30938d
8ea2458e1ff6924354036dedcbf1ee6ae2a406c97f984651b1d6ba9309c3a1e7
d322d619b77d7e1734dedd8f7f00c815fad6a59621ed9021be4a7866123c33a4
f47b1f689cbb9167ba8cfe219ed7a60d587a5e27de38743c906085906864091b
ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
+ 322 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201209-ardkrnck2a/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Unpacked files
SH256 hash:
b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e
MD5 hash:
0a40d098f4fb7d38442aa7824cb2d01c
SHA1 hash:
7b85f753de998c8d316ba42a7463a1dba423451b
Link:
https://www.unpac.me/results/6d3c1c58-60a1-4ba5-b186-2daa5bd4e96c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/107457/

Comments