MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b
SHA3-384 hash: ef4b2d99b4dbb1a7172dd2931b77e7806815f3e9dba32dbea2fd54d1a614eb7a4947e22da66fed4b9f5ae499ee5c23d8
SHA1 hash: 4206de05affc8cc702a72f2f875afc875e4c03be
MD5 hash: 3c3eba9ffadae4a50cc03ea060493701
humanhash: uncle-earth-eight-mars
File name:utbloaumr.zip
Download: download sample
File size:196'788 bytes
First seen:2022-04-14 09:34:19 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 3072:CiK7yN2xzGhLn2dK2PTc/keMJPNpO/zYK55aoTSqrPyibDb:zK7p2b2PQ4PN4rYK555TSq7yODb
TLSH T11414235B2282D0F692396D428BDB7C4762490A5317CEF7AC026154FDEFBDB37B442462
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter moshsrv
Tags:malspam zip


Avatar
moshsrv
malspam link

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilDoc.XLSBLOLBINHammerToFall.20210414.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.DataopWereSendingYouBack.220331.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
OOXML Excel File with Excel4Macro
Link:
https://app.docguard.net/d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b/results/dashboard
Payload URLs
URL
File name
http://uri.etsi.org/01903#SignedProperties
sig1.xml
Document image
Image:
Download PNG
Document image
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
macros-on-open qbot regsvr32 regsvr32.exe
Link:
https://www.filescan.io/uploads/6257eac9482f2f41caad19ca/reports/40384fe2-b56d-4637-89fa-fb6bb6fe966b/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b
Details
Macro with Startup Hook
Detected macro logic that will automatically execute on document open. Most malware contains some execution hook.
Macro Execution Coercion
Detected a document that appears to social engineer the user into activating embedded logic.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b/
Threat name:
Document-Office.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-04-14 02:46:11 UTC
File Type:
Binary (Archive)
Extracted files:
57
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
macro xlm
Link:
https://tria.ge/reports/220414-lkbrmsahf2/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Process spawned unexpected child process
Malware Config
Dropper Extraction:
http://redsispro.com/FP7PCr2P2F/Fnhnb.png
http://icommerceteam.com/zf3FB56CqXSE/Fnhnb.png
http://iambruno.com/eYq5bOBvV/Fnhnb.png
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip d20c836cba9d708307e151a97e8f5f87fbdb1f0a93d7a9e3cfa382620222634b

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments