MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50
SHA3-384 hash: 2b72bb764ea710dde1c177f2bbcd071279f7b057e3fb3fe072178023e8f8b1d3f31b8855beb813349c79cf23e379d1a4
SHA1 hash: 0d70b30f20ecb891ee130f9f98b52804cbcb755a
MD5 hash: 76a358875f6089577a1d223712190015
humanhash: california-carbon-cat-romeo
File name:RFQ - PURCHASE ORDER .exe
Download: download sample
File size:345'255 bytes
First seen:2021-01-06 07:52:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d128eb7ea856bba943551916724c67f5
ssdeep 1536:eLdbirqaB/18lHtgsQDom/ZZPvaTfXgY1zUTyN5hoDd:eLM/18T6DphZPKXgTTYj6d
Threatray 1 similar samples on MalwareBazaar
TLSH FC74544E4606096FE96079B1855E6B4805902FBC3EB3E772FD14B543FA727C7A0234BA
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cosmo.securesvr.net
Sending IP: 139.99.69.157
From: Sharron Alkha <sales@special-captain.com>
Reply-To: starmegtrades@yahoo.com
Subject: RFQ/PI
Attachment: RFQ - PURCHASE ORDER .rar (contains "RFQ - PURCHASE ORDER .exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ - PURCHASE ORDER .exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:54:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c98f7c69-a2ad-4117-9ccc-cf2eeab2397b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110704/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Ag-1
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Creating a window
Sending a UDP request
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/574897
Signature
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Executable has a suspicious name (potential lure to open the executable)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50/
Threat name:
Win32.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 01:29:14 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xetbq5zh45uuoncbkmswk6zofrh6xaffy4olhstmm6lq4tcynjia._file
Verdict:
suspicious
Similar samples:
3e528ae82c1f0a1e531ebefb50870eaf369d3a03064c41bf0020e1f84f08007b
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210106-gjejn466m2/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50
MD5 hash:
76a358875f6089577a1d223712190015
SHA1 hash:
0d70b30f20ecb891ee130f9f98b52804cbcb755a
Link:
https://www.unpac.me/results/6d849cac-9113-4a34-b665-e1d2435f2f60/
SH256 hash:
5fb4f2e53c144f29bb3ecd66a41712a3df162c3d8843e04c2582ccf14c027e9c
MD5 hash:
f0c0ccf1e2e87bc6385f8fd9cea69469
SHA1 hash:
5c9cd275f48de1aedf586f472f910c6bb54da15b
Link:
https://www.unpac.me/results/6d849cac-9113-4a34-b665-e1d2435f2f60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Banload
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 7dc1bbd923f8a7b7e02fee5341700836ea7682cd8fe0a85d57bb93550e4b9202

Executable exe b926187727e7694734415325657b2e2c4feb80a5c71cb3ca6c67970e4c586a50

(this sample)

  
Dropped by
MD5 22a88ea711efbe072b8bd4490d1d613f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 7dc1bbd923f8a7b7e02fee5341700836ea7682cd8fe0a85d57bb93550e4b9202
Cape
Cape
https://www.capesandbox.com/analysis/110704/

Comments