MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
SHA3-384 hash: 863ecfc5ee8c944da3b3a76207e97bedbdf86aa24a0a55158be5e791eaf1e53e77ec552fb2390273e57fb5f93bf8bf3f
SHA1 hash: f07d7b1b443addae757d6fd56c0576224ec241ff
MD5 hash: 202b5ddd88428283b6d94bbdd45d4893
humanhash: carbon-five-beer-skylark
File name:IMG-2345679876543456787654345678-98765.exe
Download: download sample
File size:328'704 bytes
First seen:2020-11-05 10:16:21 UTC
Last seen:2020-11-05 11:51:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d444820d9facb23288061674446775bb (6 x AgentTesla, 4 x Formbook)
ssdeep 6144:dMik1oz1CGY29SuE7v4XkuTdtRcklw4v3V8/B5Nq:dnkOU291E7QXkufRXJv3V8LI
Threatray 3'006 similar samples on MalwareBazaar
TLSH 14641205B6E1C0B2D92100B6A1A9E75316BFFD7319B598C3B7C813096AB87C04E67BD7
Reporter abuse_ch
Tags:exe Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-799617.hostwindsdns.com
Sending IP: 192.236.146.33
From: Al Shidhany <alshidhany@arabienertech.com>
Subject: ORDER CONFIRMTION
Attachment: IMG-2345679876543456787654345678-98765.IMG (contains "IMG-2345679876543456787654345678-98765.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83209/
Detection(s):
SecuriteInfo.com.Generic.mg.202b5ddd88428283.9226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Reading critical registry keys
Searching for the window
Deleting a recently created file
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521293
Signature
Binary contains a suspicious time stamp
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the user root directory
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309753 Sample: IMG-23456798765434567876543... Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Generic Dropper 2->54 56 6 other signatures 2->56 7 IMG-2345679876543456787654345678-98765.exe 3 2->7         started        11 IMG-2345679876543456787654345678-98765.exe 2 2->11         started        13 IMG-2345679876543456787654345678-98765.exe 2 2->13         started        process3 file4 36 C:\Users\user\AppData\Local\...\hunlat.exe, PE32 7->36 dropped 58 Detected unpacking (changes PE section rights) 7->58 60 Detected unpacking (overwrites its own PE header) 7->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->62 68 2 other signatures 7->68 15 IMG-2345679876543456787654345678-98765.exe 2 14 7->15         started        20 conhost.exe 7->20         started        64 Maps a DLL or memory area into another process 11->64 66 Sample uses process hollowing technique 11->66 22 IMG-2345679876543456787654345678-98765.exe 11->22         started        24 conhost.exe 11->24         started        26 IMG-2345679876543456787654345678-98765.exe 13->26         started        28 conhost.exe 13->28         started        signatures5 process6 dnsIp7 44 mail.chenklins.com 15->44 46 chenklins.com 89.45.67.200, 465, 49733 BELCLOUDBG Netherlands 15->46 34 C:\Users\user\explorer.exe, PE32 15->34 dropped 48 Installs a global keyboard hook 15->48 30 explorer.exe 15 4 15->30         started        file8 signatures9 process10 dnsIp11 38 3.246.11.0.in-addr.arpa 30->38 40 icanhazip.com 147.75.47.199, 49729, 80 PACKETUS Switzerland 30->40 42 2 other IPs or domains 30->42 70 System process connects to network (likely due to code injection or exploit) 30->70 72 Multi AV Scanner detection for dropped file 30->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->74 76 4 other signatures 30->76 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e/
Threat name:
Win32.Spyware.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 08:48:18 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yd5ttco4zqhivi6dwduvvc3myomcyqoibeyjtdx4dlbgme5qcu7a._file
Verdict:
suspicious
Similar samples:
07dbb0f511ef2ce6007a7b576be51073b953253a7e7182b361b06036e6a82f84
50eb8b54c87303301b6614c07195bef8121ab2f99685ced448b915f9e6f0fc15
58c9ea112ea67d4311a63c0cf87b4a97745c1e0f28e1a8a013047349d7d5bae4
74991102f58f5aa114cb11fe6e624c263a10129c77e917f185e9f19c73a0dad0
96d15bb3fe99161d651573512abb94b55f9b88e72c3a34d52eb4ce7574da8db7
99a98bc6f2caf5e6fe3e6ada1af35586392ea48a28bc601522bed98454cc6af6
9be235495bd4696901a7e0538b3d96f6996268c67c1b607cdc8e33a794a6a9da
bf82d80c6784207b3b2b71c4c33d4e0a0866908ebdb14a571e6f36eb7b616c60
d1e9ede488849faab5eb3e767704a4644cc79e6eaac8fe996d90fa164e68f620
e49bdc779eeaa52e085b217a5efe13fbdccce4d33c6b640ddfde03d607a30bde
+ 2'996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-5y4vel6t82/
Unpacked files
SH256 hash:
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
MD5 hash:
202b5ddd88428283b6d94bbdd45d4893
SHA1 hash:
f07d7b1b443addae757d6fd56c0576224ec241ff
Link:
https://www.unpac.me/results/ca1269df-9b49-47e0-8637-885fa261dc30/
SH256 hash:
eef14c4da3e15ebe90759491a3ffbe799e5bebc8289e9fa23e2d67c062042cb7
MD5 hash:
c4d46ef6bddd3968acfe4b9d4f6bde5c
SHA1 hash:
0b3eeb1be5c70863ac710f938a4a166dd76dd9b4
Link:
https://www.unpac.me/results/ca1269df-9b49-47e0-8637-885fa261dc30/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c24e15c693a67f9406d57992cfe7f277

Executable exe c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e

(this sample)

  
Dropped by
MD5 c24e15c693a67f9406d57992cfe7f277
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83209/

Comments