MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21
SHA3-384 hash: f5429ac8711943a28505e50926da2fd7da12ecc9c477ea3ed5e6a944fe2e2b9e58b5387a5d0e72ec026e4944870eed16
SHA1 hash: 7b9cd03d155729988920424ee4ad7549bc922e28
MD5 hash: fad60bb3c7cb0c883747ed5094f8c837
humanhash: washington-video-edward-spaghetti
File name:Our New Order May 06 2021 at 6.11_PVV550_TXT.pif
Download: download sample
File size:1'517'056 bytes
First seen:2021-05-06 07:11:53 UTC
Last seen:2021-05-06 08:15:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 1536:KrmfOxOT4c1FxeNixjJOM4Po2yk+8zyl5Iq9xq4vFr:KrmfOxHc1DeNixj0Po25+YWBFFr
Threatray 73 similar samples on MalwareBazaar
TLSH 616516112A1D154D523408F11BDC9F8DDDAF98B444F6A58BA918822FDF36BE03B327B6
Reporter abuse_ch
Tags:pif

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151377/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.703.28213.26226.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Sending a UDP request
Sending a custom TCP request
Reading critical registry keys
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/713566
Signature
.NET source code contains very large strings
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-06 07:12:28 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zxvbaznfhxsn6wkiyto3c5dmj4f6omi5wln4cuvtjfi3mvaxv4qq._file
Verdict:
unknown
Similar samples:
04c9ccc533b33d9eaa98a4f82f32bcd142c1228492d195ab5335c094643b7a7c
1fc85978f3b776d0bd7abebdc302641a3da45ba768428134df4acdc622fd5f86
673500aef66cdad3be016e872ca2cf17bd814857bf53f7ef24a0f534a3a47dcd
6d006ec6fb6d8741a3dc50c6f0131eb90bacbb9c49b60f02e1be2049aa4f2255
a4f9a06d39f0b20bb9e04aab75db64d3cf18ee2025a890471536415b6f18fcd3
ae6d4b4b89654fbd35c69c05a85fd4a2b84edd7091ffe372f4ba7115c2b8fbf8
ce8284965a584e028e1c301a747acf3dfb472df4b06263b42634d00f7b40f77e
e431da31eb509224ab13458b7f50a92f3a2f41cf01c8014f69f0eaf9339ab9e4
f5275c37ab60185f4fb3348905093f9ad7e08b3719ab008a9f2193a7f6e4e537
f5a3c92032bc45af8e374b619a5b6d046e6c3eadc83dc84595bffc4d6acab717
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-fzb961nq3j/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f54f035bc13f4b4d2d16923d8b1960a91d45d292afe493c368b043f7088e418c
MD5 hash:
21db03b5700a383e64cfb75e24db98a0
SHA1 hash:
dd879de6857b49df2da275a4b0b4dd9f71f925a3
Link:
https://www.unpac.me/results/56dad1c2-4f78-4df1-ba39-b81574a2b83b/
SH256 hash:
d2356746c79ac33d46abd470ef2b8b8c29de8ffcace61872db87e31f005deba5
MD5 hash:
6f9ef65a1cc77bfcf66206abe1df4822
SHA1 hash:
fe3c34dcb2ba4a75b1741979545275b8c4fc04f4
Link:
https://www.unpac.me/results/56dad1c2-4f78-4df1-ba39-b81574a2b83b/
SH256 hash:
2684902c6ec85bca376d01dde6f00f51ffc2c4afdf52cd96e7a968726120e8f8
MD5 hash:
3b63f0349339b6aa6ae5637a530bd19f
SHA1 hash:
c3e505083f5684366ad3f0806c8cef26228562cf
Link:
https://www.unpac.me/results/56dad1c2-4f78-4df1-ba39-b81574a2b83b/
SH256 hash:
cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21
MD5 hash:
fad60bb3c7cb0c883747ed5094f8c837
SHA1 hash:
7b9cd03d155729988920424ee4ad7549bc922e28
Link:
https://www.unpac.me/results/56dad1c2-4f78-4df1-ba39-b81574a2b83b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cdea1065a53de4df5948c4ddb1746c4f0be7311db2dbc152b34951b65417af21

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151377/

Comments