MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029
SHA3-384 hash: 04c46ff8c0f9748186f16f349404f13c62e450a457a210c6af1ca161ed725ecba402fad5bf8a7269d9ed1882c05ee1a3
SHA1 hash: 554a53310eb57f5c8fe5916b3c15686fd6573314
MD5 hash: d2aafdfed54b960417358637196beaa5
humanhash: alabama-virginia-carbon-angel
File name:NEW2009054 AZILIDE-500 REQ Flebo Complex.exe
Download: download sample
File size:248'160 bytes
First seen:2020-09-25 13:30:24 UTC
Last seen:2020-09-25 14:51:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:HhB0G/vi8mfXZHrHZsHrZa6Igy5RR8cpqZYEqb7d9zeGi9Yh:H3D3iQ9
Threatray 7 similar samples on MalwareBazaar
TLSH 8834A26277EC1509F1F35BB8FE7282110F7A7DB525A6CA1FA4A13D4E31EB6024429723
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.ollytrade.com
Sending IP: 104.168.170.131
From: Simone Debernardi <info@ollytrade.com>
Subject: AW: 924OOR.xlsx
Attachment: 924OOR.gz (contains "NEW2009054 AZILIDE-500 REQ Flebo Complex.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.53193.8321.32483.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/475201
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290080 Sample: NEW2009054 AZILIDE-500 REQ ... Startdate: 25/09/2020 Architecture: WINDOWS Score: 80 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected AntiVM_3 2->64 66 Drops PE files to the startup folder 2->66 68 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->68 7 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 17 5 2->7         started        12 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 2 2->12         started        14 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 2 2->14         started        process3 dnsIp4 52 server5.nrecom.net 37.120.174.218, 443, 49721, 49725 NETCUP-ASnetcupGmbHDE Germany 7->52 54 paste.nrecom.net 7->54 46 NEW2009054 AZILIDE...Q Flebo Complex.exe, PE32 7->46 dropped 48 NEW2009054 AZILIDE...exe:Zone.Identifier, ASCII 7->48 dropped 50 NEW2009054 AZILIDE...ebo Complex.exe.log, ASCII 7->50 dropped 70 Creates an undocumented autostart registry key 7->70 72 Hides threads from debuggers 7->72 74 Injects a PE file into a foreign processes 7->74 16 timeout.exe 1 7->16         started        18 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 7->18         started        32 2 other processes 7->32 56 192.168.2.1 unknown unknown 12->56 58 paste.nrecom.net 12->58 76 Creates autostart registry keys with suspicious names 12->76 20 timeout.exe 12->20         started        22 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 12->22         started        24 WerFault.exe 12->24         started        60 paste.nrecom.net 14->60 26 timeout.exe 1 14->26         started        28 NEW2009054 AZILIDE-500 REQ Flebo Complex.exe 14->28         started        30 WerFault.exe 14->30         started        file5 signatures6 process7 process8 34 conhost.exe 16->34         started        36 WerFault.exe 23 9 18->36         started        38 conhost.exe 20->38         started        40 WerFault.exe 22->40         started        42 conhost.exe 26->42         started        44 WerFault.exe 28->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 09:21:53 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4mdfu34ojhgnujz36kb4dc4titgjvwacyedfwd67ixg272jncauq._file
Verdict:
unknown
Similar samples:
0e128c983b60048ebbd6cd52281431f2658fdf9ed7e79f9976a3ad882c822da7
1f2a1d2ae2401bab5c2d7c3d6062ddc4af9517e0f99bf89e6b6cd02a70bcd0e2
4692d4716a224f54c928808d2d7ee7e9eaeb8531f1cd29b91886fa511a12f07a
9b876e4ddeaf0d950860db4942d9be1507453ba1065a03672de41dfb287b2511
dedcfc0bf2fb123fe562afad7a21ba25ee9abebd7e68b3734d6593b1bdbeaa1d
ea182e4254837c61e9aef81045e52d658207259f054918e4e31663248566947c
f72897f4747769b169b5969fcde3b1b7ec92b79e0fb2e67a9d72650ac14c8d56
Result
Malware family:
n/a
Score:
  10/10
Tags:
upx persistence
Link:
https://tria.ge/reports/200925-m4q4jwp64n/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
UPX packed file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029
MD5 hash:
d2aafdfed54b960417358637196beaa5
SHA1 hash:
554a53310eb57f5c8fe5916b3c15686fd6573314
Link:
https://www.unpac.me/results/5104622e-f282-494e-884d-5e7cb75b28d4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 99121c7c11bb444912d02000ce2e8a39b3e885d66889547ec8fb0c88906c22f4

Executable exe e3065a6f8e49ccda273bf283c18b9344cc9ad802c1065b0fdf45cdafe92d1029

(this sample)

  
Dropped by
MD5 271d8e87b589bef0329d9bae2f781d6a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65847/
  
Dropped by
SHA256 99121c7c11bb444912d02000ce2e8a39b3e885d66889547ec8fb0c88906c22f4

Comments