MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272
SHA3-384 hash:	83c2a76a8bf8c6a4f74fb05c1f573a7dd62ef53bc9d2e27df5f2ab1d1cbabb2a5b2953b7782a9b550a1f9494a25857d7
SHA1 hash:	48dd9d16af003655011f4c95675c1f47a730f7da
MD5 hash:	7ab17df5f53dee48353652077f9e00f6
humanhash:	echo-queen-solar-nine
File name:	Proforma Invoice.exe
Download:	download sample
File size:	578'560 bytes
First seen:	2021-03-30 12:19:21 UTC
Last seen:	2021-03-30 13:10:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:RMFqr6ehBMXQL+1ug1177cMGhXZAM1hwEYcXV+p7RORc213iivXiFZgjmKQm0ump:RMFqG0BM4+Ig1177ItN7l+ORliuXOv
Threatray	106 similar samples on MalwareBazaar
TLSH	71C461A870AE805DEEB46634F5B595920FC959321F52FF3F28E66B002C63779F94E810
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: smtp-gw.fpcci.org.pk
Sending IP: 124.29.202.102
From: Finance Manager <sales@c-accts.info>
Reply-To: Finance Manager <madinet.t.c@gmail.com>
Subject: Proforma Invoice
Attachment: Proforma Invoice.r15 (contains "Proforma Invoice.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Proforma Invoice.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-30 12:31:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5308fe30-59b8-4dc6-8228-b3fb06f1d136

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127994/

Detection(s):

SecuriteInfo.com.Scr.Malcodegdn30.23689.26161.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/658381

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272/

Threat name:

ByteCode-MSIL.Packed.Generic

Status:

Suspicious

First seen:

2021-03-30 12:20:10 UTC

AV detection:

15 of 29 (51.72%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zefsneijb2rottgju3hw3bz2bimgo66fudckfslle6ghdvznujza._file

Verdict:

unknown

1df38ad7f7297914ac4345c3572a92bd2a0507baedff37681f35b3bb8fa0d9eb

2ae87737bdf6530806f51a691b52efa8919e48d84a49ee756f356bf4556a38e5

5b7e2aa7fd116ece66c8a64a2a92a1313fc5a2b29fd2f29b295d46938a50e469

866aae77aac5ac5f4b6bae2e93d42231c5d47c5c9d8c030310bcc4c05a465b49

95a40aa92e46b3061abeef469d4a20f1c84f10b530d0f0c06f87f96d00f75ed7

99babfa23df75eea7bb01668a107f483e3a35aefb548649617456d3286566fab

a185be0edc53aacf866542523d9f2627a21cdcbcf79ed0fcfa1314ea30446ec4

f1254986674a920f32381a826cef7caf14532b52d5a4f02a5addbde53550d0b1

f66215f8969f39a42b3227f185e601ab5a866cd23481012353c50693f1ef0b00

+ 96 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/210330-32jzh6xd9s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

d436034270fb2d5380e4fcecc1ee6c821a1701aed96045fa13f597da16be08fb

MD5 hash:

00cbf73d8b9f03417a3a32957ec64ed4

SHA1 hash:

b862eff1cf240a5ad5325fd258892e534484a6e8

Link:

https://www.unpac.me/results/b19c456d-decf-4e4e-9f87-6be7bdc72cb1/

SH256 hash:

c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272

MD5 hash:

7ab17df5f53dee48353652077f9e00f6

SHA1 hash:

48dd9d16af003655011f4c95675c1f47a730f7da

Link:

https://www.unpac.me/results/b19c456d-decf-4e4e-9f87-6be7bdc72cb1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.38

Link:

https://yomi.yoroi.company/submissions/c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar b1f5ffd320c1fb94287dee8ca8861124e87c0421a10fdc579409343f36c8743a

exe c90b2691090ea2e9ccc9a6cf6d873a0a18677bc5a0c4a2c96b278c71d72da272

(this sample)

Dropped by

MD5 1964039e13d3f14907359c3ffae2413c

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/127994/

Dropped by

SHA256 b1f5ffd320c1fb94287dee8ca8861124e87c0421a10fdc579409343f36c8743a

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample