MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Expiro


Vendor detections: 11


Intelligence 11 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
SHA3-384 hash: 99a3057b6c8231ac29854150ca272c5302e1c4abaeb09547b36f6988731fb0fb1f9b3ca89b85af772f9db598ba9ad581
SHA1 hash: 84a3f6c915201d6a662ad227114754aea6c2ee2c
MD5 hash: eaad3c08a1f393d748dd5e1a615b2b3d
humanhash: magazine-high-kansas-mango
File name:Shipment invoice.exe
Download: download sample
Signature Expiro
Create hunting rule
File size:1'444'352 bytes
First seen:2023-04-17 12:25:05 UTC
Last seen:2023-04-19 09:54:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:vzOB9fWDrP3eS3OzAMgzZba9W4tL40ze2mLpNPT8EWAinrixydMvD:vzOB9fW33ekxXzZba9W4tzeJeEWPiqM
Threatray 12 similar samples on MalwareBazaar
TLSH T14A65122AC535ACF6E6E9023A00042AEACFB065E335B3C53C57567996F7DFB062D94087
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter lowmal3
Tags:exe Expiro

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Shipment invoice.exe
Verdict:
No threats detected
Analysis date:
2023-04-17 12:25:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc15af02-1a7f-4e54-8e45-3cae61041632

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
A310Logger
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382785/
Detection(s):
Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643d3adcb197bbdcf7dc30e5/reports/958adc49-611f-4f6e-a40e-e6cd11640e76/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/530ca317-6a41-45f9-9678-1c3280f00b0a
Result
Threat name:
BluStealer, ThunderFox Stealer, a310Logg
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1215155
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates files inside the volume driver (system volume information)
Drops executable to a common third party application directory
Found malware configuration
Found potential ransomware demand text
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to download HTTP data from a sinkholed server
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected a310Logger
Yara detected BluStealer
Yara detected ThunderFox Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 848082 Sample: Shipment_invoice.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 100 43 xlfhhhm.biz 2->43 45 vjaxhpbji.biz 2->45 53 Tries to download HTTP data from a sinkholed server 2->53 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 15 other signatures 2->59 8 Shipment_invoice.exe 3 2->8         started        11 FXSSVC.exe 14 5 2->11         started        14 perfhost.exe 2->14         started        16 16 other processes 2->16 signatures3 process4 dnsIp5 35 C:\Users\user\...\Shipment_invoice.exe.log, ASCII 8->35 dropped 19 Shipment_invoice.exe 1 8 8->19         started        75 Antivirus detection for dropped file 11->75 77 Machine Learning detection for dropped file 11->77 37 cvgrf.biz 206.191.152.58, 49694, 49712, 80 VOXEL-DOT-NETUS United States 16->37 39 npukfztj.biz 63.251.106.25, 49695, 49696, 49713 VOXEL-DOT-NETUS United States 16->39 41 12 other IPs or domains 16->41 79 Creates files inside the volume driver (system volume information) 16->79 file6 signatures7 process8 dnsIp9 47 pywolwnvd.biz 173.231.184.122, 49693, 80 VOXEL-DOT-NETUS United States 19->47 49 zlenh.biz 19->49 51 13 other IPs or domains 19->51 27 C:\Windows\System32\xbgmsvc.exe, PE32+ 19->27 dropped 29 C:\Windows\System32\wbengine.exe, PE32+ 19->29 dropped 31 C:\Windows\System32\wbem\WmiApSrv.exe, PE32+ 19->31 dropped 33 30 other malicious files 19->33 dropped 61 Writes to foreign memory regions 19->61 63 Allocates memory in foreign processes 19->63 65 Drops executable to a common third party application directory 19->65 67 2 other signatures 19->67 24 AppLaunch.exe 2 19->24         started        file10 signatures11 process12 signatures13 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->69 71 Tries to steal Mail credentials (via file / registry access) 24->71 73 Tries to harvest and steal browser information (history, passwords, etc) 24->73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2023-04-17 11:36:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=42zpsprbet5bhic6ksypb6jsptg45pby5z3ugmwcf42l6ydxdtxq._file
Verdict:
malicious
Similar samples:
283d5eea1f9fc34e351deacc25006fc1997566932fae44db4597c84f1f1f3a30
Expiro
7aba21bd10b88275b4620021abc90e8d0e5f8f0316e8d8c0b883554afc18f8ae
Expiro
9c4d77de2d7d2630f8f8ebe6d39340b7312af224764b75c0d165e8fff3411bc4
Expiro
ae4525147a1777b2b22af1f721927ae92b320550127596990648a02d528604c7
Expiro
b1516cc28d0e6e3f77a8eadd2a7fda7daf746e0a7b27088e016519baf8de0338
Expiro
f76c4cbfd0f66af33781adf386474e1d00a76d98d822a41fb6092d27c5726cb6
Expiro
f91550582e9e831cba0a8ee62a9a47b3f9a4f1f24e228353d6f5050bc1b52509
Expiro
+ 2 additional samples on MalwareBazaar
Result
Malware family:
blustealer
Create hunting rule
Score:
  10/10
Tags:
family:blustealer collection spyware stealer
Link:
https://tria.ge/reports/230417-pl6vyseb57/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Executes dropped EXE
Reads user/profile data of web browsers
BluStealer
Malware Config
C2 Extraction:
https://api.telegram.org/bot5797428905:AAGaRRXGZN1d9GGFd3sE5x4uSpCGF0PU4m4/sendMessage?chat_id=1251788325
Unpacked files
SH256 hash:
6fea2cd1fbc5e959b25620e0c4c1f5a8d4fdaf2d4f09fdd80665801e4edaab7a
MD5 hash:
beab5634fa3b7fcbb32801a47370bf1d
SHA1 hash:
a241dcbcaad53a2ffd038ce09bf8357ec30c0662
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
0fd1f00d94aff36ad8f02077efb33ddf269985ea37038aae554ff6202fdc020f
MD5 hash:
8dfd8e44c82066f4aeeff652fa2a33c5
SHA1 hash:
b844952e48ecab0e7ab2e3d5e38a20629399f94c
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403
MD5 hash:
c768bac25fc6f0551a11310e7caba8d5
SHA1 hash:
95f9195e959fb48277c95d1dd1c97a4edff7cb3a
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
92217c60d4ebac3a51acfdd752fd60e3b8abda73da32c257ce17988be07d76df
MD5 hash:
424f19c06088bbbac0ecb736c0a91d8e
SHA1 hash:
7fc028628de60cdc03ade2ee6051c14dbd3a1885
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
1340f22f3f57ed81df1042bd2020c46ccff23d7d358378f8f93245e79f93764d
MD5 hash:
c095d3c9f02383a4e7aa6d08fda01a85
SHA1 hash:
419dba6876c9997cf25c1736b56f6732211708bf
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
868cfa4fccedd16bb0c12746ae640aac8e7a525ba8264e7eeb7274dc868518be
MD5 hash:
a1e1f403d98ef63874d390562aa81306
SHA1 hash:
0b715d612b38e119a47f3f8363e19c554b6ec59a
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
fc9bb9746aaa4e07944b2c1338d26ac852531a6e6c97e98f6a56202d27ff607c
MD5 hash:
d2ec533f8b40a8224d79c87c2291f943
SHA1 hash:
f305fa4c5c8525e853fbdbcf5c8cedad9ba08fd2
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
9870dbb37050b9de21aa65dec30e7094bb34775e2b8a2ee5d37481ce924ecd5c
MD5 hash:
53cd50750accb95e275c7a00c43712e9
SHA1 hash:
b45c7fbb26bb2a25c746764b9ea2272b8227f8bc
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
SH256 hash:
e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef
MD5 hash:
eaad3c08a1f393d748dd5e1a615b2b3d
SHA1 hash:
84a3f6c915201d6a662ad227114754aea6c2ee2c
Link:
https://www.unpac.me/results/a1fd808f-7e84-4faf-8ae8-981b5f9e6d82/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e6b2f93e2124/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Expiro
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
Create hunting rule
Author:ditekSHen
Description:Detects executables using Telegram Chat Bot
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MALWARE_Win_A310Logger
Create hunting rule
Author:ditekSHen
Description:Detects A310Logger
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_m0yv_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.m0yv.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Expiro

Executable exe e6b2f93e2124fa13a05e54b0f0f9327ccdcebc38ee774332c22f34bf60771cef

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382785/

Comments