MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
SHA3-384 hash: 14ca861ee9b9e1ae2c28106f7913cf780ce21fa12fadd273734e68f1d0ae5c1e5b3cf5cfa7e294ec424a462974e83e00
SHA1 hash: ca4681b1f0f8fe4c2f8d142a85b08e56307a8f65
MD5 hash: e6e25bc559a331c79f173920071e4f8e
humanhash: foxtrot-tennessee-alabama-oranges
File name:Ficha OMS - Reserva Medicos.exe
Download: download sample
File size:720'135 bytes
First seen:2020-07-12 08:31:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 6144:e/fAhvV6B8ErzPZp5wdz753RSjpPBUHzkxSln8Wgoy:efAv6B8azBwd+pPeHzkxSlnZgoy
Threatray 263 similar samples on MalwareBazaar
TLSH 02E43802AD8EC0A1D2211537D825F6FA362D6D271BF0B9CB73907F2BB5318C256B5B52
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp-r144129.pro-smtp.fr
Sending IP: 185.254.144.129
From: <bestco@reservasbestco.com.br>
Subject: Solicitação de Reserva
Attachment: Ficha OMS - Reserva Medicos.rar (contains "Ficha OMS - Reserva Medicos.exe")

Unknown payload URL:
http://reservasbestco.com.br/final.jpg

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Running batch commands
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de/
Threat name:
Win32.Trojan.Hynamer
Create hunting rule
Status:
Malicious
First seen:
2020-07-12 08:33:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wxrzofxvo3s76ipjivlavghopsttbferwk37ezbxfdgtig44dhpa._file
Verdict:
malicious
Similar samples:
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98
43ed3081859def68a8b2ef50292e6d9dcbac7aea6ddb03de294fb9ed367c9f06
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706
+ 253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200712-166ae9l36j/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
An obfuscated cmd.exe command-line is typically used to evade detection.
An obfuscated cmd.exe command-line is typically used to evade detection.
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 7c6d001886a2ce4f4293c92cece2c3e3fc175386a977df4e5c654fb077c9761a

Executable exe b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/411996/
  
Dropped by
MD5 f6159c18fe39261363780912429f7353
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24849/
  
Dropped by
SHA256 7c6d001886a2ce4f4293c92cece2c3e3fc175386a977df4e5c654fb077c9761a

Comments