MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83
SHA3-384 hash: 1d58be1321b6e806bedb01ac8102e0788e5c7befe9882cfc7870264248c1dfdfb19d8bd76d876b247463ee1ecb0a0b56
SHA1 hash: 592c6e5e4db97a930dfaf51351a585f9f75d45ce
MD5 hash: d90f0c1cb32a90eebb9af686b4111f59
humanhash: delta-march-oscar-potato
File name:000OUTQ080519103.pdf.exe
Download: download sample
File size:1'114'624 bytes
First seen:2021-04-07 05:55:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:+8CNPq6fgPvAp2o/dF+/ryCJsv/5X7vSWgRSYXtj/9qy:+nNyxHoO/ryCmv/5La/vtjI
Threatray 4'661 similar samples on MalwareBazaar
TLSH 7A35AE085A4405DBD4D936F084696B4002A86EBD7B92F769FB707147B9327B3CD2362F
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: WIN-V8LMQ7AJFJ9
Sending IP: 185.222.58.148
From: Finance Department <finance@jonyeng.com>
Subject: FW: SWIFT Transfer (103) 000OUTQ080519103
Attachment: 000OUTQ080519103.pdf.7z (contains "000OUTQ080519103.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
000OUTQ080519103.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:36:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/89f4587a-da45-43aa-93c7-c58a43f5347c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132762/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.634.28974.6885.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
87 / 100
Link:
https://www.joesandbox.com/analysis/668333
Signature
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 05:56:11 UTC
AV detection:
14 of 48 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zjoiiit54zpmp3pvtbekyqxqkwhrd6iuqglictizivyo6hrq3sbq._file
Verdict:
unknown
Similar samples:
1360731b382e0bcc89d9351099dbbbc972b0562c6d61ead2bdb9680fac7b4fb1
4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
51c5377d6679a6a6e2cb1e9aee769cb64c40dc17c557eff90f8b7382c27196fa
b6310419622c8cb61a0511e47d56c1a0ceea5483880c1145ccf3f2d72d88d6b1
bb41f3d7cd89e23050aaf19a29486c0725a3e3b15af1d638e556aa245b04955e
ca4a895f81aec93ce01e2290fb643471f26fc4a190f5f65fbc1ae9647e00ad75
e614d735f9fb59c6c21cfed37a1177fa6607684c1ef6be58707b517c96407462
f73bd79fa45052bdee47d286e58107be584dd64d6cafb38362d494d9b388356f
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
ff76b56bee6607aa59a49b6b5ef4a27b73ad17df228a1d408ceefc810ac74e9f
+ 4'651 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210407-dfl1pxbsts/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/3520ae25-8828-4bb2-94d6-22c8ed609252/
SH256 hash:
ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83
MD5 hash:
d90f0c1cb32a90eebb9af686b4111f59
SHA1 hash:
592c6e5e4db97a930dfaf51351a585f9f75d45ce
Link:
https://www.unpac.me/results/3520ae25-8828-4bb2-94d6-22c8ed609252/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

7z d8eba15b26d5652ed7cf6a67ec0f3b847fe7179aafdd414d092d25163eed9b3e

Executable exe ca5c84227de65ec7edf59848ac42f0558f11f9148196814d194570ef1e30dc83

(this sample)

  
Dropped by
MD5 e3dfc7314c31a6ffb488a9325f62ce94
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d8eba15b26d5652ed7cf6a67ec0f3b847fe7179aafdd414d092d25163eed9b3e
Cape
Cape
https://www.capesandbox.com/analysis/132762/

Comments