MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59
SHA3-384 hash: 888a29c286cb00de3ec26a19bbfbb6218b436a523eca6e97c8cb3088e571ca748cc80fc17bb785bc82b659c531ad716e
SHA1 hash: 3eedb898f741b9665ffb85d104501fdb1f0f1fd5
MD5 hash: 113c47cc37ba850f804de17985add1b6
humanhash: bakerloo-delaware-kitten-paris
File name:DHL DELIVERY NOTE 2021003982721.exe
Download: download sample
File size:892'743 bytes
First seen:2021-03-30 12:16:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 24576:9vIS8YEkqPvWL6YlCRiUjCrwYNmpFbg6c:9vIS8YEkCvWGbCrtsbUz
Threatray 908 similar samples on MalwareBazaar
TLSH 2815E086E5807969DE397B706E7ACE3107135EBE743C245C29DA3E673F7A493100A863
Reporter abuse_ch
Tags:DHL exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vxsys-smtpclusterma-03.srv.cat
Sending IP: 46.16.60.200
From: Carlos Sánchez <nitinsachideva@yahoo.com>
Subject: DHL DELIVERY NOTIFICATION
Attachment: DHL DELIVERY NOTE 2021003982721.LZ (contains "DHL DELIVERY NOTE 2021003982721.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127985/
Detection(s):
Win.Trojan.Generic-9848208-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Sending a UDP request
Modifying an executable file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
rans.spyw.evad.phis.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/658342
Signature
.NET source code contains potential unpacker
Creates autostart registry keys with suspicious names
Detected suspicious e-Mail address in disassembly
Found many strings related to Crypto-Wallets (likely being stolen)
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378096 Sample: DHL DELIVERY NOTE 202100398... Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 6 other signatures 2->78 8 4394847.exe 11 2->8         started        12 DHL DELIVERY NOTE 2021003982721.exe 1 13 2->12         started        14 4394847.exe 11 2->14         started        process3 file4 44 C:\Users\user\AppData\Local\Temp\...\aj4m.dll, PE32 8->44 dropped 86 Multi AV Scanner detection for dropped file 8->86 88 Writes to foreign memory regions 8->88 90 Maps a DLL or memory area into another process 8->90 16 svchost.exe 6 8->16         started        46 C:\Users\user\AppData\Roaming\...\4394847.exe, PE32 12->46 dropped 48 C:\Users\user\AppData\Local\Temp\...\aj4m.dll, PE32 12->48 dropped 92 Creates autostart registry keys with suspicious names 12->92 20 svchost.exe 1 15 12->20         started        50 C:\Users\user\AppData\Local\Temp\...\aj4m.dll, PE32 14->50 dropped 22 svchost.exe 14->22         started        signatures5 process6 dnsIp7 52 smtp.ionos.es 213.165.67.102, 465, 49756 ONEANDONE-ASBrauerstrasse48DE Germany 16->52 60 System process connects to network (likely due to code injection or exploit) 16->60 62 Sample uses process hollowing technique 16->62 64 Tries to steal Crypto Currency Wallets 16->64 24 AppLaunch.exe 16->24         started        27 InstallUtil.exe 16->27         started        30 AppLaunch.exe 16->30         started        32 InstallUtil.exe 16->32         started        66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->66 68 Detected suspicious e-Mail address in disassembly 20->68 70 Installs a global keyboard hook 20->70 34 WerFault.exe 23 9 20->34         started        36 WerFault.exe 2 9 20->36         started        signatures8 process9 dnsIp10 80 Tries to steal Instant Messenger accounts or passwords 24->80 82 Tries to steal Mail credentials (via file access) 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 38 WerFault.exe 24->38         started        54 api.anonfile.com 45.148.16.42, 443, 49744 OBE-EUROPEObenetworkEuropeSE Sweden 27->54 56 anonfiles.com 172.67.145.1, 443, 49745 CLOUDFLARENETUS United States 27->56 58 192.168.2.1 unknown unknown 27->58 40 WerFault.exe 30->40         started        42 WerFault.exe 32->42         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59/
Threat name:
Win32.Spyware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-30 12:17:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4qny4teyeihjqmz7wrjepu4ezmt4a355egxnohwynxx5qre5vzmq._file
Verdict:
suspicious
Similar samples:
4290d442e13dea4987b3439a97deabd09dc72d8b38fff572ea287d1c4e9b71bd
4c6997804d58c9362349c9d5905e52c1e4a41c4db83541a3bf4f72097c8205f6
6fac6e1f7f8cdd8cec52b2dd7a23fd434084c7d12ef0f04deaa52794d3612ef7
8d96cdba8c8ac7896773c03f0ab27a5cebe912d9cc6614fda1e149191fc6a7c7
ba09c031c8345f685a7da248184f5bdec2007989bbaabe9f299b601c2734541d
ba27cd1ecbbe8b1f445884fd3348660486f902b2e215b63b980bcad56efe5608
ce399cb6f48a7daf6fd1ce9ffc9a0fe086d101fac2c11a1a636e1932d3303c90
cf993c713cfe3b22bd4978530f420e2dc54c38d106ad5fc5a9aacb1e377b81e2
cfcd6d0ab043b586adb0c91f4d73e10fb016ea803665ef2b8e45b3c64ca055ad
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
+ 898 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210330-zc1s2vg5ge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
1f35bb6728237483c779005fc227e69fef51b0bafd32d15855d483948a337078
MD5 hash:
eef9e469e8a30717974499f277d97e2a
SHA1 hash:
2d33c25984ebd9116beeb55cdde4c5c86c023e5d
Link:
https://www.unpac.me/results/785affac-7345-4b10-a144-8019ae22aabd/
SH256 hash:
94528c3bb28b6ee8499c5a7c9c88c6d5a6c4ca8b9810a39a6510d32d7decd7fe
MD5 hash:
59dc56bfd5eb4f6554a51626edd6fcfd
SHA1 hash:
0596451dbd010ac63759868355ea74590eaf2e74
Link:
https://www.unpac.me/results/785affac-7345-4b10-a144-8019ae22aabd/
SH256 hash:
e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59
MD5 hash:
113c47cc37ba850f804de17985add1b6
SHA1 hash:
3eedb898f741b9665ffb85d104501fdb1f0f1fd5
Link:
https://www.unpac.me/results/785affac-7345-4b10-a144-8019ae22aabd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 2f88d57c9e91cc904c83fbdc97ffb2439cc88a569e77c1ddf14131f806c1fae5

Executable exe e41b8e4c98220e98333fb45247d384cb27c06fbd21aed71ed86defd8449dae59

(this sample)

  
Dropped by
MD5 b1634a36ec780d3a37abf27171b39a09
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127985/
  
Dropped by
SHA256 2f88d57c9e91cc904c83fbdc97ffb2439cc88a569e77c1ddf14131f806c1fae5

Comments