MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292
SHA3-384 hash: bd44a95daff9488c3e3689d81605f5e10ef43b72f45aca04e718e49429156efe9590b730fd4eb9952cf64091d9c99000
SHA1 hash: ce42bcea93547031053c089e299b8abf636049da
MD5 hash: 501c145469d9c5e05b93b633ceeff2ba
humanhash: four-west-berlin-seventeen
File name:Swift Copy Against due Invoice.PDF.exe
Download: download sample
File size:837'105 bytes
First seen:2021-03-31 06:56:00 UTC
Last seen:2021-03-31 07:56:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 12288:6hqjLi/OK8UbBYBC2r93TLtgWZtrOX04TSSmyanBzDHI1BsBUjdeiq2OgDk:o6UBY/rF/tgwOXxh4n1k1eBliq1gDk
Threatray 4'604 similar samples on MalwareBazaar
TLSH 4C05124522A1E053D3E876385F96CDB9A3B26D8D0E41C26326F83F9F39FD147981416B
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: slot0.polnacorp.cf
Sending IP: 173.82.206.16
From: KONNEX GROUP <info@konnexgroup.de>
Subject: Payment Remitance/Swift copy against due invoice
Attachment: Swift Copy Against due Invoice.PDF.iso (contains "Swift Copy Against due Invoice.PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Swift Copy Against due Invoice.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-03-31 07:09:02 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3f3472a5-e39b-4056-994f-d27fe9733255

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/129164/
Detection(s):
SecuriteInfo.com.Trojan.Siggen12.62808.31632.27575.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Unauthorized injection to a recently created process
Creating a window
Creating a file
Setting a keyboard event handler
Reading critical registry keys
Moving a recently created file
Replacing files
Deleting a recently created file
Launching a process
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Sending a UDP request
DNS request
Sending a custom TCP request
Searching for the window
Stealing user critical data
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/660028
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected Generic Dropper
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378944 Sample: Swift Copy Against due Invo... Startdate: 31/03/2021 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 10 other signatures 2->53 8 Swift Copy Against due Invoice.PDF.exe 11 2->8         started        process3 file4 31 C:\Users\user\AppData\Local\...\7qz06dz12.dll, PE32 8->31 dropped 55 Maps a DLL or memory area into another process 8->55 12 Swift Copy Against due Invoice.PDF.exe 1 18 8->12         started        signatures5 process6 dnsIp7 37 smtp.yandex.ru 77.88.21.158, 465, 49726 YANDEXRU Russian Federation 12->37 57 Writes to foreign memory regions 12->57 59 Allocates memory in foreign processes 12->59 61 Sample uses process hollowing technique 12->61 63 3 other signatures 12->63 16 AppLaunch.exe 2 12->16         started        19 AppLaunch.exe 5 12->19         started        21 InstallUtil.exe 15 14 12->21         started        24 InstallUtil.exe 12->24         started        signatures8 process9 dnsIp10 41 Tries to steal Instant Messenger accounts or passwords 16->41 43 Tries to steal Mail credentials (via file access) 16->43 45 Tries to harvest and steal browser information (history, passwords, etc) 16->45 26 WerFault.exe 16->26         started        28 WerFault.exe 23 9 19->28         started        33 api.anonfile.com 45.148.16.42, 443, 49709 OBE-EUROPEObenetworkEuropeSE Sweden 21->33 35 anonfiles.com 172.64.207.3, 443, 49710 CLOUDFLARENETUS United States 21->35 signatures11 process12 dnsIp13 39 192.168.2.1 unknown unknown 28->39
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wcl5e5rx2tkdvhndyynpurs2k6g5boeqbjv6cz53ff6zszl6kja._file
Verdict:
unknown
Similar samples:
01bac3adf5b25f8dad0afe3fd753eefa5b31f2b3550e44069f594280e084f9b4
51d068920ee714c25ce8b122798f7492ca0d0fc4ef196040a1443aa392a1e88e
74defd8809c3c66152c56c0f711d60e7110683784e42df2d80dcf3e30c412f6a
851ee4f67cc28e3634b0062d77f62222d026c4e9674a894bcdd5b6c6e6bda376
8f16e3a601a2ecbe08bb764289fc0766df7ca8e634f5490d905055be4f827364
b8fb56d3c66d2b6280cf2be3fb58de14e9103989429d78861bd712479424c4f6
bbe69e17d653a71131e0c9fd787429245db67bd8f432b279a85881b2b1cfbf77
be1d469e7f434641202ffde45e666cd4b1d255814f8cbf344a3aff1e78e86768
dd7268284b041dafef56b6a8a4b565b3a0c54e1eaacc68121a1688e03798e72d
ebc82e867e1280af5cb01ed64745b4a4e5fa48c2ea64557bbaeb7b391e852c2f
+ 4'594 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210331-f671p76ejn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Loads dropped DLL
Reads local data of messenger clients
Unpacked files
SH256 hash:
8e6596a191afb60bb265e2a3c74b7691c61e72251a28a51aeba077dfa6a99c5b
MD5 hash:
c57801360e70f09a9cedb0344da322d4
SHA1 hash:
ae5f4f6804ac6cdd91b784acb98d73d512f6248c
Link:
https://www.unpac.me/results/caba9e17-de0c-49bf-b995-861d72a777ed/
SH256 hash:
ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292
MD5 hash:
501c145469d9c5e05b93b633ceeff2ba
SHA1 hash:
ce42bcea93547031053c089e299b8abf636049da
Link:
https://www.unpac.me/results/caba9e17-de0c-49bf-b995-861d72a777ed/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso dacd92571ce211b256ad0c2f033199c9a23056a0394ea369b8af143449411299

Executable exe ed84be93b1bea6a1d4ed1e30d7d232d2bc6e85c480535f0b3dd94beccb2bf292

(this sample)

  
Dropped by
MD5 90088af1711534257a5d827689ebceb5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/129164/
  
Dropped by
SHA256 dacd92571ce211b256ad0c2f033199c9a23056a0394ea369b8af143449411299

Comments