MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386
SHA3-384 hash: 66b377c80c23cf99e187e45ec11dd7d6a9b891f8f4b6afbf9db7557ecce2848bdc979829be240f8a4538858f189c330c
SHA1 hash: 1354c029fb623f30f36b83d2a61ed120bc0af754
MD5 hash: a99a943d820d9d736a8e7f7b8c0de9c8
humanhash: yellow-cold-bakerloo-alaska
File name:Download Tracking Reference.doc.exe
Download: download sample
File size:1'564'160 bytes
First seen:2023-05-15 10:48:56 UTC
Last seen:2023-05-16 08:16:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:zyZDqbVXVn+Yoin6yevgTjwmqdHleoFuzUrY6bo0knecnLFH+MWhWxSTVoTaA:SDqZ0YFPsrdHEoFE6bo0keUohIgV0V
Threatray 506 similar samples on MalwareBazaar
TLSH T19875231952FA1FA3D3B887F1852426450B34A1B3BC37D53C5E9E24CEFA56F211968A83
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter TeamDreier
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
242
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Download Tracking Reference.doc.exe
Verdict:
Malicious activity
Analysis date:
2023-05-15 10:50:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0f1c0519-fc83-45bf-82cd-4bcf85a610a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/390042/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.13877.27709.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64620e2850d4f3894cdec3a2/reports/0b172f96-6fbf-4d80-8b5b-62ba6c37f9e2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14768f29-80d9-4983-b81b-b84e525a576a
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1233636
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to modify clipboard data
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-05-15 07:43:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x5amqxu6via2du7oxnqh6th3a5jxvavghlxp2nopzsdvujs6eoda._file
Verdict:
malicious
Similar samples:
1f06e9fbca301c8973f846320f64cd64e09a55a178add77b72d893cb781bc80c
37e5285ef075235abeed2a5bfbf0398cd49945e77842a8e45fba2e4dcf0c819e
967357369e28e674971587037a5d24378a41b3e074ac20d24544d1703cccfee0
9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58
af6da297a28d23c4d9837e63904c7ed8b28672e0a82da0e6aa14374fcade7873
cc78a14cb3bff140e2b55b0acfbb6e90abb3b14c6cdeb7042ed2bb89858bb25f
cdc97952b1dcf484c5ea7e924883776f60a3e354c3028d4e3ca88112c497c56a
d92a606bedfa843a95a54253d544ecd03c944cce85da4183489ab1a77cb33624
+ 496 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230515-mwnq1sac7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Checks computer location settings
Unpacked files
SH256 hash:
034cfac01d336e43da8909622d72fbd950b42df480409825817851606e965e9d
MD5 hash:
246e102137f7d093f8fb0fcc25bac08d
SHA1 hash:
f766177f69d34f97bbc035ca3d7f18d4151a45b7
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
SH256 hash:
0af5ab1abced2ec83c6e9bed15b9ee25d62ce60e914ff117d93a036241e18c28
MD5 hash:
1abdf6843ea6d5059c92709c6e4e97de
SHA1 hash:
e0c5fd937f28499681bb3fc5156629f757c15c01
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
SH256 hash:
47b15651a3fa3e8524b253130f0d3fd00a4a500a1a75f5a78964f367b0a2000b
MD5 hash:
17685f8f0e47a05501434a183df64e0c
SHA1 hash:
d22164cb485bf3791d669375dd1638e7043af76c
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
6722a58c81f6d11004e880bd8481acc423bf96afd46bf692f1562cfa4c5852bd
MD5 hash:
d92d2ba953be4be2d6f2bc859ec5c607
SHA1 hash:
05da51752277bd907ebcfb799524ec7655abbc3a
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
SH256 hash:
bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386
MD5 hash:
a99a943d820d9d736a8e7f7b8c0de9c8
SHA1 hash:
1354c029fb623f30f36b83d2a61ed120bc0af754
Link:
https://www.unpac.me/results/389192b7-4547-4f47-bd93-12ccd3e96ea0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bf40c85e9eaa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe bf40c85e9eaa01a1d3eebb607f4cfb07537a82a63aeefd35cfcc875a265e2386

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/390042/

Comments