MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d
SHA3-384 hash: 585de2f6a19f4663da9df2334afe348969e13335b4c2521a2796ded0a2ec12cf27d5ae3ae1fd82cfd9faa949d87fbd64
SHA1 hash: d2f523974efc348e14b2460f685af5e8227d056f
MD5 hash: 99ccdd9c78e8ef14dc061f2de2ec3f22
humanhash: carpet-mars-king-fanta
File name:BLTAX.xlsm.exe
Download: download sample
File size:431'104 bytes
First seen:2020-08-25 10:16:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/+8iBvmJCFxZ0LuuOvKMxyLXUIfBYq5WtEdoXgzKokYR+JvkH0G4A0RYwBeYGq+C:/wBJZ2upi2yLvYYAEdXbB4A0sYGqD
Threatray 1'754 similar samples on MalwareBazaar
TLSH BD94D089BB51F64ECB5A8D7648A52D108760E4BB470BF647ADC312FD560E3FACE011E2
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: "Alphalog/TPE-Export" <export@alphatpe.com.tw>
Subject: BL/TAX
Attachment: BLTAX.xlsm.xxe (contains "BLTAX.xlsm.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/50476/
Detection(s):
SecuriteInfo.com.Generic.mg.99ccdd9c78e8ef14.11845.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/448721
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-25 10:18:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wti3ztqmulaclg2okrcuhu6bcoylljsj5dxnc5zqlxks6bw7wgq._file
Verdict:
malicious
Similar samples:
206ffd0bd61efa5d7555466690e7e20ee7bcf6f8e45323bb1bb01b85073bc77b
2634fb80e3aae92bb4b0fa252d7be8242629a9dbcd14301b0002e8d1bfc8b420
519675edeedff67d6e38db3a65860747facf59b0301ca98fb85c52a135017791
5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
66428bc7e93f0c6e440d5d078506a28a53d5f65df1382b733206c68659076c84
ab7d156971b4c71bd112c92043ac2fcace480d0032f6303beda28fb2a5001b3d
ba570d5e847509c2b56f4bd5dfb21115e1e9516481c2a89859c2f682786a0eae
d1c50e90c890f092d4675611d4034a89c102226ca2ec29a46294d22b6f656b78
d5e25941e3d79faf029e3f285e3755bf6b40388af3fd3295dee7ce0289b6d13f
faed8958e332c72282fd257d32a1bbdff45a2859b29ff2d2eb7bcca8812d7478
+ 1'744 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/200825-9ve5d74lja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Maps connected drives based on registry
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Checks BIOS information in registry
Loads dropped DLL
Looks for VMWare Tools registry key
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

0f2731b2f8298529bb14b01b6c3199035af4bc05200dcb4baa299d33fc202d46

Executable exe eda68de6706516012cda72a22a1e9e089d85ad324f47768bb982eea97836fd8d

(this sample)

  
Dropped by
MD5 530910fd12b4b8a70c8a774bee56f634
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/50476/
  
Dropped by
SHA256 0f2731b2f8298529bb14b01b6c3199035af4bc05200dcb4baa299d33fc202d46

Comments