MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbd88e81ffbe0de0f0168ebf9d28ac1f2a15ce717858e6a0c6cad96adedda9fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbd88e81ffbe0de0f0168ebf9d28ac1f2a15ce717858e6a0c6cad96adedda9fc
SHA3-384 hash: 06172824ba728e41215bfd10c5e068997d1383ed88d45c7360cc666c3383f7ad5da02ad531af4eec4331874653adad7f
SHA1 hash: 9d8d1bdc14f07d588c2423c62d30a2c2266245f2
MD5 hash: 029ee16c39f3b46c024639c95199391c
humanhash: nuts-speaker-undress-utah
File name:Authorization Letter for Hiretech.exe
Download: download sample
File size:44'960 bytes
First seen:2021-02-22 09:19:54 UTC
Last seen:2021-02-22 14:48:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:hY6HH8wGbZjTs1D4e+oqdzdz3xUSynN0/kyM7IO4ojacdYbBUh3:hYXTsWxnPD60LMsOTjacqBk
Threatray 41 similar samples on MalwareBazaar
TLSH 02136C8179931E2BFC2A357A94B02C09237636D17C97A6135A8C90F975833CF1AFBE45
Reporter FORMALITYDE
Tags:exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118287/
Detection(s):
SecuriteInfo.com.Variant.Bulz.367758.17646.30824.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a file
Creating a file in the %temp% subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/613908
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops PE files with a suspicious file extension
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 355966 Sample: Authorization Letter for Hi... Startdate: 22/02/2021 Architecture: WINDOWS Score: 96 46 cdn.onenote.net 2->46 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Neshta 2->54 56 Machine Learning detection for sample 2->56 58 4 other signatures 2->58 9 Authorization Letter for Hiretech.exe 15 3 2->9         started        signatures3 process4 dnsIp5 48 coroloboxorozor.com 172.67.172.17, 49716, 49723, 80 CLOUDFLARENETUS United States 9->48 66 Hides threads from debuggers 9->66 68 Injects a PE file into a foreign processes 9->68 13 Authorization Letter for Hiretech.exe 4 9->13         started        18 cmd.exe 1 9->18         started        20 WerFault.exe 23 9 9->20         started        signatures6 process7 dnsIp8 50 coroloboxorozor.com 13->50 44 Authorization Lett...or Hiretech.exe.log, ASCII 13->44 dropped 70 Hides threads from debuggers 13->70 72 Injects a PE file into a foreign processes 13->72 22 Authorization Letter for Hiretech.exe 4 13->22         started        26 cmd.exe 1 13->26         started        28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        file9 signatures10 process11 file12 36 C:\Windows\svchost.com, PE32 22->36 dropped 38 C:\Users\user\AppData\Local\...\setup.exe, PE32 22->38 dropped 40 C:\ProgramData\...\vcredist_x86.exe, PE32 22->40 dropped 42 110 other malicious files 22->42 dropped 60 Creates an undocumented autostart registry key 22->60 62 Drops executable to a common third party application directory 22->62 64 Infects executable files (exe, dll, sys, html) 22->64 32 conhost.exe 26->32         started        34 timeout.exe 1 26->34         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbd88e81ffbe0de0f0168ebf9d28ac1f2a15ce717858e6a0c6cad96adedda9fc/
Threat name:
ByteCode-MSIL.Downloader.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-22 08:19:24 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pmi5ap7xyg6b4awr27z2kfmd4vblttrpbmoniggzlmwvxw5vh6a._file
Verdict:
malicious
Similar samples:
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb
1ef127d41d790e02a24cd32fe6908eb42aeae3ab0e65a8291de67fdbf8c6cfa0
2afdd3aa2feb767d46e6da9b81c1d77dc1592df952980b5ee636a97ecd3f8e62
33eaead056bc761caee6ebc9de4251e1488aaafc202d04c0d4863ad29f793ad8
5493074b52dab5b859bb7bf54fdccf45ac005c3f9a2adafc52ac42891ca84793
56a403d1e2f2fcf7c7416c65eb1ec5d6b9e6906c0c9570ac89e703bc9f2ce37e
badf31d977ae00d0c4886883d2b9722ae7250939bc5d75566d9ffd0dd59fd171
d0463bdb7762bbf95edd76625d958df8066f95b53d9e548da60c19c7438a05cf
e1614a878888eddb3296e856dc5f4e63a926b9e4c899cf09da12a8f477ace4cf
+ 31 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/210222-myrcyydhxj/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Modifies system executable filetype association
Unpacked files
SH256 hash:
dbd88e81ffbe0de0f0168ebf9d28ac1f2a15ce717858e6a0c6cad96adedda9fc
MD5 hash:
029ee16c39f3b46c024639c95199391c
SHA1 hash:
9d8d1bdc14f07d588c2423c62d30a2c2266245f2
Link:
https://www.unpac.me/results/69c6c5f5-e17c-495f-9a24-758d72b7e134/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe dbd88e81ffbe0de0f0168ebf9d28ac1f2a15ce717858e6a0c6cad96adedda9fc

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118287/

Comments