MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38
SHA3-384 hash: b322b50a2009ae00b12ecae7f0537ccebb6392e37eaf9f8e3d0fabbc2d6fb9072cf668191cdfdb9ea58d545b0a1d7528
SHA1 hash: 6d045fd02543466150cd6a1fd34b655c428b3efe
MD5 hash: dc7ba7c95902aefcade2e524e1a4ce8b
humanhash: network-cola-charlie-uranus
File name:SPEPAY13012021-20-00000009.pdf.exe
Download: download sample
File size:768'675 bytes
First seen:2021-01-14 20:19:11 UTC
Last seen:2021-01-14 21:35:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 12288:5hxp3lZnT9bDNkdAAcF3G3FFufkqzpabfsfqKLKiqGp4Imq8Dra0N58nP5Y:5Jlh9bDN+ApFW3usMabfsiKLHqr5q8Df
Threatray 335 similar samples on MalwareBazaar
TLSH E6F4BEE1B780C471D8B35539983A9B636837B51D8D68890D2BD1BF1F7D723824027EAB
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vxsys-smtpclusterma-05.srv.cat
Sending IP: 46.16.61.63
From: supporto_clienti.it@epayworldwide.com
Reply-To: supporto_clienti.it@epayworldwide.com
Subject: Invoice Epay
Attachment: SPEPAY13012021-20-00000009.pdf.rar (contains "SPEPAY13012021-20-00000009.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SPEPAY13012021-20-00000009.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-01-14 20:27:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b713b2f9-0f91-4226-906d-9f925fee8862

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112095/
Detection(s):
PUA.Win.Ransomware.Protected-6611653-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Program Files subdirectories
Launching a process
Creating a process from a recently created file
Creating a file
Creating a service
Launching a service
DNS request
Sending a custom TCP request
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/581898
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to infect the boot sector
Contains functionalty to change the wallpaper
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339988 Sample: SPEPAY13012021-20-00000009.... Startdate: 14/01/2021 Architecture: WINDOWS Score: 92 56 Multi AV Scanner detection for dropped file 2->56 58 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 6 other signatures 2->62 8 SPEPAY13012021-20-00000009.pdf.exe 3 6 2->8         started        11 svchost.exe 2->11         started        14 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdXJpYWtpbWlyaXlha2kxOTg4.exe 2 2->14         started        16 11 other processes 2->16 process3 dnsIp4 46 support-Y3Jpc2dvbj...WlyaXlha2kxOTg4.exe, PE32 8->46 dropped 19 AcroRd32.exe 15 37 8->19         started        21 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdXJpYWtpbWlyaXlha2kxOTg4.exe 6 8->21         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 11->64 23 MpCmdRun.exe 11->23         started        25 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdXJpYWtpbWlyaXlha2kxOTg4.exe 2 21 14->25         started        48 127.0.0.1 unknown unknown 16->48 28 support-Y3Jpc2dvbjg3QGdtYWlsLmNvbSAzODQ1MjMgdXJpYWtpbWlyaXlha2kxOTg4.exe 3 16->28         started        file5 signatures6 process7 dnsIp8 30 RdrCEF.exe 48 19->30         started        33 AcroRd32.exe 8 6 19->33         started        35 conhost.exe 23->35         started        52 anyplace-gateway.info 76.72.163.161, 443, 49724, 49725 DATABASEBYDESIGNLLCUS United States 25->52 process9 dnsIp10 54 192.168.2.1 unknown unknown 30->54 37 RdrCEF.exe 30->37         started        40 RdrCEF.exe 30->40         started        42 RdrCEF.exe 30->42         started        44 RdrCEF.exe 30->44         started        process11 dnsIp12 50 80.0.0.0 NTLGB United Kingdom 37->50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38/
Threat name:
Win32.Trojan.AnyplaceControl
Create hunting rule
Status:
Malicious
First seen:
2021-01-14 20:20:10 UTC
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x4uzdcqlpumxxl4l7zwcgogkj5kcqkaluu3vznep2avzflgfl44a._file
Verdict:
malicious
Similar samples:
0494a9fb7d3360da05ce76def600f533d818465fd625ff765cd15cc65a9b2c07
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
4f79aa8d648c5a999fb91196040b6b68db284ba1b892217563df71db9ae477f3
76299e863b71caed1b9950d904d1b52a8174b9077c9d4bc896276881caa46fad
79c4986448ffc1aeb0ef56cc0013063b008c34359f536c8e8e30aa307e30938d
8ea2458e1ff6924354036dedcbf1ee6ae2a406c97f984651b1d6ba9309c3a1e7
b369da8fa3af7d482c5c81e437c58388e4ab9dfe363adb16197b8c8133fb406e
d322d619b77d7e1734dedd8f7f00c815fad6a59621ed9021be4a7866123c33a4
f47b1f689cbb9167ba8cfe219ed7a60d587a5e27de38743c906085906864091b
ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
+ 325 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/210114-je2sd7lfps/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Drops file in Program Files directory
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
ebcfa21ef429d234f46441c194abe77e32efeed05161e18cecae7dc04f1a7cc7
MD5 hash:
cd6f5c8643d7ebbe363ad1da70c3372a
SHA1 hash:
13df3c7c28ce730605892d7a974cd788dc7ac449
Link:
https://www.unpac.me/results/b966f8ed-f6ad-4af6-b611-2549e329be02/
SH256 hash:
bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38
MD5 hash:
dc7ba7c95902aefcade2e524e1a4ce8b
SHA1 hash:
6d045fd02543466150cd6a1fd34b655c428b3efe
Link:
https://www.unpac.me/results/b966f8ed-f6ad-4af6-b611-2549e329be02/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 918b39792a7af5e41c0d77e7c02a7ae647e25d4e2207dc42979fc11b6626f3aa

Executable exe bf29918a0b7d197baf8bfe6c2338ca4f5428280ba5375cb48fd02b92acc55f38

(this sample)

  
Dropped by
MD5 3f1abe1fb8b153bf63d415e845195f7c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112095/
  
Dropped by
SHA256 918b39792a7af5e41c0d77e7c02a7ae647e25d4e2207dc42979fc11b6626f3aa

Comments