MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544
SHA3-384 hash: c6cea56f9b971e7199f04738a958926c511f5b9bb5880086ad6868167e38dff4c9cd9227cf318efc054556238650791b
SHA1 hash: d6fd4bd24923e2ba57d86117fd27d7248e84d3e1
MD5 hash: af83e45292be69defcde71a4ff87ed5e
humanhash: salami-echo-ceiling-paris
File name:IMG.interior_08-20.exe
Download: download sample
File size:730'112 bytes
First seen:2020-08-30 06:04:53 UTC
Last seen:2020-08-30 07:19:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 3072:4DPakXmUDaM+Q30RDxVr2ljP065i2Lh5Tqf3de8/bpL3Wg+V0DGF0du18X6OEZha:8XmU2A0oFvTk/bpL3x+/edu8uQn
Threatray 36 similar samples on MalwareBazaar
TLSH D6F4822139CB9834DA6702FD0025EAC1B621BD46FAB5873E738717596E0526BFF1A4CC
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.fcuset.com
Sending IP: 209.182.216.88
From: Martin Nordstrom <Martinord@domian.org>
Subject: Home Designs
Attachment: Design_Interior.img (contains "IMG.interior_08-20.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
FirebirdRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53023/
Detection(s):
SecuriteInfo.com.Fareit-FWKAF83E45292BE.16551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Adding an access-denied ACE
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Deleting a recently created file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Possible injection to a system process
Setting a single autorun event
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
Hive RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454417
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Hive RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279580 Sample: IMG.interior_08-20.exe Startdate: 30/08/2020 Architecture: WINDOWS Score: 100 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Hive RAT 2->42 44 4 other signatures 2->44 7 IMG.interior_08-20.exe 4 2->7         started        11 explorer.exe 5 2->11         started        13 Avast.exe 2 2->13         started        15 Avast.exe 1 2->15         started        process3 file4 32 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->32 dropped 34 C:\Users\user\...\IMG.interior_08-20.exe.log, ASCII 7->34 dropped 48 Writes to foreign memory regions 7->48 50 Allocates memory in foreign processes 7->50 52 Injects a PE file into a foreign processes 7->52 17 AddInProcess32.exe 4 7->17         started        20 wscript.exe 1 1 11->20         started        24 conhost.exe 13->24         started        26 conhost.exe 15->26         started        signatures5 process6 dnsIp7 36 23.105.131.193, 2016, 49736 LEASEWEB-USA-NYC-11US United States 17->36 28 explorer.exe 1 17->28         started        30 C:\Users\user\AppData\Roaming\Avast.exe, PE32 20->30 dropped 46 Benign windows process drops PE files 20->46 file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544/
Threat name:
ByteCode-MSIL.Spyware.HiveMon
Create hunting rule
Status:
Malicious
First seen:
2020-08-29 21:15:30 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4grx4rtkguc5xokcfwilaa3jun34mujgptstrzvejxzky2devca._file
Verdict:
unknown
Similar samples:
0e66190e0f8d36eaf1b222a404a4d82fb1b32baaf3fe3cd67e21ee48050ebac2
10070ec7d3520c0f11223b9602b0d78c066eaa6b56193385d39346838669c50a
4eff27126b74a235694015e24eef51535df0957aee93773e67db901b07df3270
5f8ac42f8279dc27a6acd609e0429afcb8a6792de978047a40210acdb53708fb
a3787a9441ea35eac690866b22a7fd4499e39c78f2eeff4d0306d197e73b9d1e
b0e6043127c164a93905b6baa2ec2ee5fc0691ca1df15db962cc0d55c5b35151
bf7bdc6825c2f863095795d10195f76265c5a062850ebc4b40ff0a51f62365e8
c252f7e8e4266205e4ef29cbe10c54c8edbe83bd0946166ac59728e4a8d4a8a3
d91d577a0f28f94af5a4e492a55ca10645d51d01b9131cf39be8d0fae97b9dcb
e639997f6ee7e96b1356622bc3f5449e8ce3aeb46100e775875cc41cc891d587
+ 26 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
agilenet persistence
Link:
https://tria.ge/reports/200830-sek4ej8zfs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img ad19a319f0d4a6be92f09a8525bcd769dfebfc1bbb79ecb2fe278ed5364e568b

Executable exe bf0d1bf23351a82eddca116c85801b4d1bbe328933e729c735226f9563432544

(this sample)

  
Dropped by
MD5 d49fbc9dd708b8775fb0d392622f1c24
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ad19a319f0d4a6be92f09a8525bcd769dfebfc1bbb79ecb2fe278ed5364e568b
Cape
Cape
https://www.capesandbox.com/analysis/53023/

Comments