MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d
SHA3-384 hash: 35283e9d534a3a55a6dabe3b51c4b1ccebe6823307a7af3ea805689e971119b13aa097f6aa507775a3b0243db3e20923
SHA1 hash: bf1edba165c83659aa7de9329585e6593c9a9ced
MD5 hash: 092359c53d90886e56d569f8352f2836
humanhash: fish-eleven-ten-five
File name:FedEx Pickup Confirmation.xlxs.exe
Download: download sample
File size:530'944 bytes
First seen:2021-11-01 09:28:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:R78H1lZP9Tl8mB4cOVGpxZoRYLc/uFHlEHwOiuTwfuke:SZFTXBikbGYA/mEHzfwfuke
Threatray 16 similar samples on MalwareBazaar
TLSH T196B4BF26627C6F53D93463FC84217108ABB06621BC97DB4D9FC173DE8A327B5AD60683
Reporter abuse_ch
Tags:exe FedEx

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FedEx Pickup Confirmation.xlxs.exe
Verdict:
Suspicious activity
Analysis date:
2021-11-01 12:30:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/73081cf2-0cd0-46e2-9848-5ac11f9fd291

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Inject4.18180-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617ff9d6db358dd15ee33e7b/reports/936b64fb-f4a6-4936-85e1-770994e37b93/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2c1a0e88-47ae-490b-934e-19f5d7db9e14
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/880260
Signature
.NET source code contains potential unpacker
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 09:29:05 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xxvko7ecnkgk5m4is4ffj72lppmtwkpyv44ra35nvp465c2hc6gq._file
Verdict:
malicious
Similar samples:
060e86dcefb73c566dff70cc68ffb1a330e3fc3017e80f4ff42f20df959f0068
1d07ba3818460950a41107248ebad65eea18efc3c151aa275be107732f3625d6
3817ce74e0428b78c0394a0f603fb30c01e30e3be4d93909ddd5397e43813881
5216b6dfa49d4bb81595286acc1622c0f58137720148e68bc3d7b8dc40978503
6447ed8f3f7c8d1bb038b60c063f722016af4c75e8900de259d12c30c4230d90
8a11296b3d53ddb6282cb7e13903ebff1133289a199b45283f47668f905f9258
9c1dff75f4eab58eed1bbec54970c5fa5b3bcf52518af40558d5a16c2e45de51
ab5c29e94cda16d44ba0b3fec24ff2a46bf9518ab2787730dde2be0db8e22d58
d47a3349da0b35cfea76ee1546923b623d7b02eba6c20a5d4db13019aff1766b
f4836d7f1e0a6aea620b727084a620cca0f10819eb6b8646fa5b450a571fef19
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211101-lfw7saebfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
7ec7c47de5927351c7035f8657a2dd91c42fd6ed6e4da309e34b87ef0b0ba785
MD5 hash:
171a2669225911b41301096cd9dcf19f
SHA1 hash:
dc25f1f69faec5174e489a0d1a18cf14cf7fd1b5
Link:
https://www.unpac.me/results/d09c9fc3-95a9-4bac-a0fe-0e10b07bc8a5/
SH256 hash:
6f876868b05607ecf60006d1bf5ee761c43ea21d4b5db9d341557486088b0d54
MD5 hash:
a0a2b680b726af49ba038ae4d6673c8e
SHA1 hash:
a7fc7221ccd7f4f1d5287bd5fdd9a562d04e6717
Link:
https://www.unpac.me/results/d09c9fc3-95a9-4bac-a0fe-0e10b07bc8a5/
SH256 hash:
bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d
MD5 hash:
092359c53d90886e56d569f8352f2836
SHA1 hash:
bf1edba165c83659aa7de9329585e6593c9a9ced
Link:
https://www.unpac.me/results/d09c9fc3-95a9-4bac-a0fe-0e10b07bc8a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe bdeaa77c826a8caeb388970a54ff4b7bd93b29f8af39106fadabf9ee8b47178d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments