MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14
SHA3-384 hash: 3a0a7d7cbf42d8987e9b4c57947c7f6c3f7d72bd6ed6fd644610bf21dedb3e251a09b3a8a6356a87534bb823c79a2681
SHA1 hash: 2780218c1a89b84a990a4fa9bb658712791d46fd
MD5 hash: b31b498b2a3822a7207e278792adc38d
humanhash: georgia-uranus-five-ohio
File name:Proforma Invoice 297663893746.exe
Download: download sample
File size:919'040 bytes
First seen:2020-11-05 08:17:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e84ad2fcdc8258e8b185201ca744213f
ssdeep 24576:DQTCo386FXokHD18aTnVVMMY6LkZppsTn:De1htRJI6gDpan
Threatray 668 similar samples on MalwareBazaar
TLSH 1F159E22F2904837D173263F8C1B93A5982ABE713D2899473BE51E7C5F396817C292D7
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: FALLA LOGISTICS GmbH <taqees@cyber.net.pk>
Subject: proforma invoice
Attachment: Proforma Invoice 297663893746.pdf (contains "Proforma Invoice 297663893746.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83109/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Strictor.251080.14026.14761.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Changing a file
Launching a process
Sending a UDP request
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/521058
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-05 05:12:29 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxn37eknw4jye25bsdzazt6ylnbhmzrcoiipvl2dlvtur6taduka._file
Verdict:
suspicious
Similar samples:
05c5ebfe7acb748d41d40eb6dad1c142635f5fe97958f6933fead63d723b0728
0e3ea9144ee0c548a7928e5f8511c459972e5b6dd3e706b59677df8d10825c8b
14460141625dd22787e0240e169ba782d157f760a0a01670847e3dc8c0919634
404a8a0adbd4a85e364eb3083b802c19282bfd1cb34a74ca257141db1fca34bb
4748d8754858143f280c1022b3c01ddc0a81e9fdf04babe1e711ef09d73124b6
6cebc20609d3d9a4f39599787371113c70cc5553f1d15555af232e557c2aacab
98b586cd2517a8296335f30e0e363ab72b047d10e50cec33f41ed93b6b492ca6
9de1f44fb966c4d5a8877059a530b2dd4eb01228b0ea52a78ac43df28140315b
bdb09b8c5d9d6ee0e42047449dec605b61edc1f71ee6247b84f3c9a03669cffd
e386d4d99d65ec52f0a9d504a2e8fdfe92309a2a81e6dcfbf5037afc01a1e618
+ 658 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201105-nb9vzarl8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Drops startup file
Unpacked files
SH256 hash:
cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14
MD5 hash:
b31b498b2a3822a7207e278792adc38d
SHA1 hash:
2780218c1a89b84a990a4fa9bb658712791d46fd
Link:
https://www.unpac.me/results/7bc211ba-302f-4134-9230-d668f7843152/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

93f619e4bcf6e628d8e7350d7f68f519

Executable exe cddbbf914db713826ba190f20ccfd85b427666227210faaf435d6748fa601d14

(this sample)

  
Dropped by
MD5 93f619e4bcf6e628d8e7350d7f68f519
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/83109/

Comments