MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f
SHA3-384 hash: 177428b3d6bb9f72cd2fd35cb9c29358920359189df16808d4b68300d87b876444d5f576f13ab320b9addab75b8f2356
SHA1 hash: bb54c78cbd3923d1734f43b571d61dc39d2203a2
MD5 hash: 387cd51cb271329c54133bcb1a8dd2f9
humanhash: india-grey-crazy-minnesota
File name:REMITTANCE.exe
Download: download sample
File size:509'952 bytes
First seen:2020-10-17 12:08:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:28JbcOL8O/5WODQ34n9gUREbvO++egsUQA:0OL8O/5W2CTqlQ
Threatray 5 similar samples on MalwareBazaar
TLSH 6BB4492523F44F22E4BBABF485B8500157B97C86242BE3199EC134FA1DFA7009B5B75B
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cloud.irx61.hostnegar.com
Sending IP: 5.63.12.212
From: ZHANG KUN <renation-upggraden@ahanmarkaz.com>
Subject: 20201019 Prague Deutsche Bank Payment Application
Attachment: REMITTANCE1.zip (contains "REMITTANCE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72548/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/494454
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 07:24:20 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xapkpst5x43v3ftbwp2xdzkcgbded23nkpuije354k6pqqdsbvxq._file
Verdict:
unknown
Similar samples:
18fd02253bd3e3458ae988dc884567ac238606beeb1095c9c849ee58becc48f7
6d3f0ca9deedbcfa8eec86ba0907881c02c986e8535b56a59b870dd8a6cafa0e
71fd91125c6e138188f4f03e12569bce2994002b07d413d57229893e0a1cb39c
7890e1c690c7e7511f550915ed85e9f7b93bcf6733aeea6b6c636bb89676f3db
b49f4c0a41fe65d3e81919eae65adb01d493e08331e0e3652b30655d55170d52
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201017-2hx4k1nbl6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f
MD5 hash:
387cd51cb271329c54133bcb1a8dd2f9
SHA1 hash:
bb54c78cbd3923d1734f43b571d61dc39d2203a2
Link:
https://www.unpac.me/results/0f1c86e2-536e-4d5f-98c0-1268eecf8391/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/0f1c86e2-536e-4d5f-98c0-1268eecf8391/
SH256 hash:
6e5742ad530d24d8021ec3d494d9ce1f7ae68f2c995147c8278873a1d724d36f
MD5 hash:
94e452836999b243d70c807e8fc401c6
SHA1 hash:
f4e8074cad3df68769ff117272a5928efd79e583
Link:
https://www.unpac.me/results/0f1c86e2-536e-4d5f-98c0-1268eecf8391/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 4e02ea06b3c45547214f935e622ba9a711def3cfb08d64b06f2be1c09269e9a5

Executable exe b81ea7ca7dbf375d9661b3f571e542304641eb6d53e884937de2bcf840720d6f

(this sample)

  
Dropped by
MD5 0a7a25028fe85e5eff4237f7bc36208f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72548/
  
Dropped by
SHA256 4e02ea06b3c45547214f935e622ba9a711def3cfb08d64b06f2be1c09269e9a5

Comments