MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
SHA3-384 hash: 66ff87015c8597b0696d1a444f4c88df53552b879b128ed33348fa2905d28c605fb114793a99f1ae81cb95a8a22f9d13
SHA1 hash: f147d81b9d48764fc6b088c2b430c0589000fbf9
MD5 hash: aeb9c86a931fc3e0f6ded9a831cc1113
humanhash: lemon-arizona-crazy-paris
File name:PO# - BOA439 - 670A - 18112020.pdf.exe
Download: download sample
File size:667'648 bytes
First seen:2020-11-18 12:25:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:gl1aMljBMKnw6WJoGPb5FUoRAVyImHlawy:+JCKxWfPNFwyIUlaw
Threatray 105 similar samples on MalwareBazaar
TLSH 23E47D23B2A15873C12316788CCB5BB8AD2EBED0391BB9872BF51D48DF3D6813516197
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gmail.com
Sending IP: 192.158.238.82
From: ASELKON KAMPÜS HİDROLİK <aselkonmuhasebe@gmail.com>
Subject: Attached Order
Attachment: PO - BOA439 - 670A - 18112020.pdf.7z (contains "PO# - BOA439 - 670A - 18112020.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/541151
Signature
Contains functionality to detect sleep reduction / modifications
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:25:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=323yoerwtd555lr4qvq3jr766pqbvrkegumwmhdeiyenzhpylbtq._file
Verdict:
suspicious
Similar samples:
286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
53199d2d6d3d21f6a1549eb84faa73b98e68c3c0c4ca31889852a10277125e3a
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
b2ec3cbaca68c03cabfbd50b7b94908971b26a52e5eacd80d499844944929c1b
b61fd6fa3079321e5231c3bdea1d4894b2de3fb8a8e38c2cb2c3d4754a7da86d
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
c6d32cce563241de2f9137ed8a1812a2413cbed6f84d4d6870202fa0fcd1e01e
f114260deddc0c7ea49c9a76fca65890679874e9d295c0015d6de8f736fb8c5e
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
+ 95 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201118-2x992t8hs2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Unpacked files
SH256 hash:
deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
MD5 hash:
aeb9c86a931fc3e0f6ded9a831cc1113
SHA1 hash:
f147d81b9d48764fc6b088c2b430c0589000fbf9
Link:
https://www.unpac.me/results/4d9e2724-3bd8-43a7-82e2-276ace42c199/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip c3a62494b25b0d8294a5bbe22dd495ffc9e20b7a1f5924df4071159b2889f6c9

Executable exe deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867

(this sample)

  
Dropped by
MD5 5d7a0c9d42076fc706159be4a9e8b0a3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c3a62494b25b0d8294a5bbe22dd495ffc9e20b7a1f5924df4071159b2889f6c9

Comments