MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273
SHA3-384 hash: 481ebfbfadebd2332e7def23aa1aec58c2fb45213ec2b203d8e1f7b1f729345d66df65fd9d07ad7b064d79825afe72e9
SHA1 hash: 6010adb6e327133579ae83f38ae40c20ff8a4c70
MD5 hash: a6744b1b2b5337444752d964eb2af14b
humanhash: minnesota-wisconsin-september-idaho
File name:Merckgroup 214412.exe
Download: download sample
File size:349'696 bytes
First seen:2020-11-18 12:32:37 UTC
Last seen:2020-11-18 14:49:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:JA4l07MF6/C9+24Lb7VtTSy9KLQidoWP2OfnDIlcQrEAmg+W8:Jfl07/CY2i3rOFFH6EAmD7
Threatray 94 similar samples on MalwareBazaar
TLSH 83748EB4A1560565D65F0676ADAABE5001737E8BCCC6980C12BEB91337F3326BE52C0F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: merckgroup.com
Sending IP: 45.88.3.248
From: Adityo Mulyo <adityo.mulyo@merckgroup.com>
Subject: Order 214412 (Purchase Order)
Attachment: Merckgroup 214412.img (contains "Merckgroup 214412.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.ArtemisTrojan.6420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/541144
Signature
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:33:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zapdylszgetacmt56azomsv6m4k4rjijpk2xqb4ft2dhncgtujzq._file
Verdict:
unknown
Similar samples:
1464e7d26d44d7a83f057056954155a3bec0ee3dfebde5bea8e36945e735c79c
53bcd055cbd5e6095af4dd15128a0a065d1ecd09e2f5882a240fc243ac04a2fe
56e83e366b260c60ffdb115230e5cf4f0106e2d6c9278d83bf82674b811b3573
59a680dd944269f001e9cd0c64baf199ca8fb8673caa18e7faf9cddc6562861e
62dc9a9e902b11b0b7d081ec0ce5e8f60605d244a9abfcd03ef464f0058100ca
657ce0145781e930d93e0cf3953390f98f22323be721a6d44db6342a44aea27f
82f9d45ee92a5f51af44dc11384e5a10fa12fbb46659291dc188a9222d17fc34
985aeed489ef3a3af3b21b0adb1bc8a4e7d444522b742bfedee03da6879b7fc8
a7b21f370c7b0322f1ec27c22ece8bb37380c3bed905c5c19fc60eace18eb9b8
b711fc441777905b534050ba32f04836a1a791dc4cfbf850b1ee7faecd6a82da
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201118-cfed6dsfde/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
8498a38721713177a5fb46cecd89d4dd24d962afb8ca4a4f369691daab0d44f9
MD5 hash:
94d5cd54f3331e84b5e3034537a890b9
SHA1 hash:
e12d1cb2700fe336e0ced439d87509b1b0c94ac1
Link:
https://www.unpac.me/results/450a3ed0-7eae-41c9-83c4-4afbf128bed8/
SH256 hash:
d41def6638ed646301b48bbf82e71ed09a319c07df4f1e94ab81e05c7e48a19b
MD5 hash:
7de97c0ec390fae601dfa5628287ef32
SHA1 hash:
ea1f6a5521f96d07c8485dc56f4626c50dcddbca
Link:
https://www.unpac.me/results/450a3ed0-7eae-41c9-83c4-4afbf128bed8/
SH256 hash:
c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273
MD5 hash:
a6744b1b2b5337444752d964eb2af14b
SHA1 hash:
6010adb6e327133579ae83f38ae40c20ff8a4c70
Link:
https://www.unpac.me/results/450a3ed0-7eae-41c9-83c4-4afbf128bed8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 6ba12f3c95cf5fea71bef086be06b62007148d2f53651b08c5a751169bf14a05

Executable exe c81e3c2e59312601327df032e64abe6715c8a5097ab57807859e867688d3a273

(this sample)

  
Dropped by
MD5 3102c8ec4525047fe31478f2ffa09419
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6ba12f3c95cf5fea71bef086be06b62007148d2f53651b08c5a751169bf14a05

Comments