MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342
SHA3-384 hash: 00fd9bb72c0a531df4aacbfeee8a4a5ba465a167064852f361f0aac1fc755f607d1c05362ba558ae58be19da7ed7f627
SHA1 hash: e609fdef9d33611113fe311276d6584a0d3e221c
MD5 hash: 692a0e33a1f8159a91020ff78a91fd0f
humanhash: nuts-failed-vegan-crazy
File name:Purchase Order 3536266 for June July August 2020.exe
Download: download sample
File size:1'785'344 bytes
First seen:2020-05-06 10:33:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 49152:H3XTTPU/LRnkP8fl8tfQcdCJkj3ULzmkr:HTTPU/pkkfitfHCJkj3UTr
Threatray 3'706 similar samples on MalwareBazaar
TLSH BF85334A335034DEC487D032BA8D4D22E211ED9B4B7F957361ABB94DAE7E11A4E102F3
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing :

HELO: e1.valueserver.jp
Sending IP: 157.7.184.11
From: Marina Faust <eigyou@one-brain.co.jp>
Reply-To: Marina Faust <sales@adminstrument.com>
Subject: Purchase Order 27735536 June July August
Attachment: Purchase Order 3536266 for June July August 2020.img (contains "Purchase Order 3536266 for June July August 2020.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 10:37:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
14
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pn7ujfwfvklcysnvr6qppmtsz3tilecbbt3bwezh4flswxt2nba._file
Verdict:
malicious
Similar samples:
13dd79b77c2ed2ba77d509e2d3b4621e83f7105674353f7e30930e07b099bce5
182321120c1270861876820e9413137d6c32cd8af4e6aee6cef87ee5fa236b5b
2222ddfcb76c8c278bbabf1b094e47950023f1319ae484d44dc502b91700db17
5136cc442f7ff2a99cb5c3c64c0419d23a3aba57f7389af3a758615eb8b6d26b
8978b5eb14061436a8d2249f9c92ac75d8307c83a09ea7aa3e6572f704b4335f
a007c974d0e999a91fb8e3c81489642b608dee675c411d99baf42499c64cc1a8
aee3e4545426bbee306c79e3a2578ac45873f340116f13908394735244721e73
b46571fd44360c7d8e9771a807c0914f419dc7dc69a43b475b537484a1aa5053
e666762b026d8017d202c3bf8f6b32d9a13bff5549735a93611e79b3c1a9ff83
fe3dcdbbb57d61e04df490402d1e477ec1a804add945a2287c697b18a2234227
+ 3'696 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
rezer0 family:masslogger spyware stealer upx
Link:
https://tria.ge/reports/201109-r5aql9977s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
rezer0
MassLogger
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:with_sqlite
Create hunting rule
Author:Julian J. Gonzalez <info@seguridadparatodos.es>
Description:Rule to detect the presence of SQLite data in raw image
Reference:http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5

Executable exe dbdbfa24b62d54b1624dac7d07bd939677342c820867b0d8993f0ab95af3d342

(this sample)

  
Dropped by
MD5 a7bf11fb5f2ea3296cefdba78eeac0f3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d9ba65273cd9e8f4f3c4dcf601c652d153fe3fc54a0dd1135389574945128dd5

Comments