MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
SHA3-384 hash: 9d18a78036a0b60b12a0492b8b2128334ad26e0d54643195c92fa24a33b532d4ca455b95f81a003718470170301ad532
SHA1 hash: 5fc01c3e2b2914087612b42560bf9a20ce669c10
MD5 hash: 403ab354e86bcfad7664c518df3c85fd
humanhash: delta-friend-beer-delaware
File name:Order PONSB 04042021.pdf(939MB).exe
Download: download sample
File size:962'560 bytes
First seen:2021-04-04 13:46:57 UTC
Last seen:2021-04-04 15:31:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:nXWEeCaiCa078vq1M7ZE5PvfpbdOtPzZ:XOyCa04q1M7ZE53BdaZ
TLSH 3125E061B3586F69E53EA3798020965093F1FC07E732E79E7EE150DC19A1F808726E63
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: naseem-baghdad.com
Sending IP: 31.210.20.235
From: info@naseem-baghdad.com
Reply-To: info@naseern-baghdad.com
Subject: Re: Order PO/NSB 04/04/2021
Attachment: Order PONSB 04042021.pdf939MB.rar (contains "Order PONSB 04042021.pdf(939MB).exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Order PONSB 04042021.pdf(939MB).exe
Verdict:
Suspicious activity
Analysis date:
2021-04-04 13:49:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ce72bc9e-6865-4874-b7dd-6184a89fe34d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132096/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.623-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ba8dfb74-5399-4c36-b130-4ad03f1eec93
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665585
Signature
.NET source code contains potential unpacker
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected AntiVM3
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381720 Sample: Order PONSB 04042021.pdf(93... Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 Detected unpacking (creates a PE file in dynamic memory) 2->61 63 8 other signatures 2->63 8 Order PONSB 04042021.pdf(939MB).exe 3 2->8         started        12 Order PONSB 04042021.pdf(939MB).exe 2->12         started        14 Order PONSB 04042021.pdf(939MB).exe 2->14         started        process3 file4 43 Order PONSB 04042021.pdf(939MB).exe.log, ASCII 8->43 dropped 65 Injects a PE file into a foreign processes 8->65 16 Order PONSB 04042021.pdf(939MB).exe 2 15 8->16         started        20 Order PONSB 04042021.pdf(939MB).exe 12->20         started        22 Order PONSB 04042021.pdf(939MB).exe 12->22         started        24 Order PONSB 04042021.pdf(939MB).exe 14->24         started        signatures5 process6 dnsIp7 45 snacksnco.com 146.71.86.122, 465, 49744 SHOCK-1US United States 16->45 47 mail.snacksnco.com 16->47 53 Tries to steal Crypto Currency Wallets 16->53 55 Installs a global keyboard hook 16->55 26 AppLaunch.exe 2 16->26         started        29 AppLaunch.exe 5 16->29         started        31 InstallUtil.exe 15 2 16->31         started        34 InstallUtil.exe 16->34         started        signatures8 process9 dnsIp10 67 Tries to steal Instant Messenger accounts or passwords 26->67 69 Tries to steal Mail credentials (via file access) 26->69 71 Tries to harvest and steal browser information (history, passwords, etc) 26->71 36 WerFault.exe 26->36         started        39 WerFault.exe 23 9 29->39         started        51 api.anonfile.com 45.148.16.42, 443, 49724 OBE-EUROPEObenetworkEuropeSE Sweden 31->51 41 WerFault.exe 31->41         started        signatures11 process12 dnsIp13 49 192.168.2.1 unknown unknown 36->49
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 07:46:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=w2hvvq2wmtqeaosynudbphe5j4ct6bujwya677u7tqeb2kzs6pgq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210404-m84rvw7np2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/f41061b2-8ed6-41ed-ade8-e67f7e5179ea/
SH256 hash:
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
MD5 hash:
403ab354e86bcfad7664c518df3c85fd
SHA1 hash:
5fc01c3e2b2914087612b42560bf9a20ce669c10
Link:
https://www.unpac.me/results/f41061b2-8ed6-41ed-ade8-e67f7e5179ea/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar db2f6797ce2888af8b7761f4c081f7cfaf7cc3ecdc729056aa6e151f7bcae52c

Executable exe b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd

(this sample)

  
Dropped by
MD5 17b50047375cdfba0bf56fbe2c649160
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 db2f6797ce2888af8b7761f4c081f7cfaf7cc3ecdc729056aa6e151f7bcae52c
Cape
Cape
https://www.capesandbox.com/analysis/132096/

Comments