MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706
SHA3-384 hash: 536c4c6e2a6e33aa960fa8058d3e91682dd487d0cc74c2d62628427af346e1c0ce1b2d367d717218e0d5703898d4272d
SHA1 hash: c5ea5dcb264701a5d9f9313eac4896913aff5b46
MD5 hash: 6781bcd642bc0323b4ca6a5228812f10
humanhash: gee-delaware-mississippi-maryland
File name:Ficha OMS - Reserva Medicos.exe
Download: download sample
File size:720'366 bytes
First seen:2020-06-18 12:49:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 6144:e/fAhvV6B8ErzPZp5wdz753RSjpPBUHByxSln8Wgoy:efAv6B8azBwd+pPeHByxSlnZgoy
Threatray 263 similar samples on MalwareBazaar
TLSH E4E43802AD8EC0A1D2211537D825F6FA362D6D270BF0B9CB77907F2BB5318C256B5B52
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp-vm-badsender.pro-smtp.fr
Sending IP: 217.171.20.84
From: <bestcoreservations@outlook.com>
Subject: SolicitaƧao de Reserva
Attachment: Ficha OMS - Reserva Medicos.rar (contains "Ficha OMS - Reserva Medicos.exe")

Unknown payload (PowerShell):
https://www.dropbox.com/s/z577d4qayfl3roh/Nv%20bolud.txt?dl=1

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 13:36:34 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6lcxlcvb77cb73jxphm5i2v5klit6q6ozig2pmdipy3d5lbs4da._file
Verdict:
malicious
Similar samples:
1aca49752cef2bb58d097e0ac96963e32f14e4e6b1e6e24e11125d1e9ef54cf2
3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98
43ed3081859def68a8b2ef50292e6d9dcbac7aea6ddb03de294fb9ed367c9f06
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
70d86fc8d1247dcd26ed0927411614973d45216d676978f768e14cb16d362536
8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
90dd2d39ffc0ebcf1db286191a316c833ddc3111337e1c05e3d847e03e67c377
b5c7fbd5e805b6f1a9796c041be4f9829d2157e5b59a6608871511d045b8d79c
b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
+ 253 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion spyware trojan
Link:
https://tria.ge/reports/200624-5hzr3tv91e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
An obfuscated cmd.exe command-line is typically used to evade detection.
Modifies system certificate store
Blacklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar fa5af35bd8e3ec9e11c57a29627f52df0722194f9f2477b403c2a3e487db0fce

Executable exe c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706

(this sample)

  
Dropped by
MD5 04cbb1948670b197f0585a2589fb4988
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fa5af35bd8e3ec9e11c57a29627f52df0722194f9f2477b403c2a3e487db0fce
Cape
Cape
https://www.capesandbox.com/analysis/19794/

Comments