MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
SHA3-384 hash: 1b12e9bb6ec1da6d95931adf85086f41d737bf8df6f61f7ab4a5aa11ef051f72a07044d7babbedc5fac10a70c8d13633
SHA1 hash: a4efe73b8faf1e1c2ce238e77de089ef8bad9882
MD5 hash: 8601b471a1acbd6fb19b478b80c7b775
humanhash: dakota-oven-beryllium-london
File name:Pranešimas apie mokėjimą.pdf.exe
Download: download sample
File size:2'062'336 bytes
First seen:2020-11-05 10:09:35 UTC
Last seen:2020-11-05 11:51:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:fGXFdFgkPEn+dMqJpAB4hG7RHcBZGsZP3SgYUS9YDndH:+VdWG6+qDl7CGYPCC8unt
Threatray 1'306 similar samples on MalwareBazaar
TLSH 1BA56C27398384A8C8252572467DD9D063B1BBCF37258B1E32875368DF432AB371B65E
Reporter abuse_ch
Tags:exe geo LTU Swedbank


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.doklsa.us
Sending IP: 185.249.197.82
From: Swedbank AB <info@swedbank.lt>
Subject: Pranešimas apie mokėjimą
Attachment: Pranešimas apie mokėjimą.pdf.img (contains "Pranešimas apie mokėjimą.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83202/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.47142.4160.5412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Threat name:
MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521277
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309748 Sample: Prane#U0161imas apie mok#U0... Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 41 Multi AV Scanner detection for dropped file 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected MailPassView 2->45 47 6 other signatures 2->47 8 Prane#U0161imas apie mok#U0117jim#U0105.pdf.exe 3 2->8         started        process3 file4 29 Prane#U0161imas ap...m#U0105.pdf.exe.log, ASCII 8->29 dropped 61 Writes to foreign memory regions 8->61 63 Allocates memory in foreign processes 8->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->65 67 Injects a PE file into a foreign processes 8->67 12 mscorsvw.exe 19 8->12         started        signatures5 process6 dnsIp7 39 vbmolik.scienceontheweb.net 185.176.43.104, 49714, 49715, 80 ZETTA-ASBG Bulgaria 12->39 31 C:\Users\user\AppData\Local\Temp\B.exe, PE32 12->31 dropped 33 C:\Users\user\AppData\Local\Temp\A.exe, PE32 12->33 dropped 35 C:\Users\user\AppData\Local\...\A[1], PE32 12->35 dropped 37 C:\Users\user\AppData\Local\...\B[1], PE32 12->37 dropped 16 cmd.exe 1 12->16         started        18 cmd.exe 1 12->18         started        file8 process9 process10 20 B.exe 1 16->20         started        23 conhost.exe 16->23         started        25 A.exe 13 18->25         started        27 conhost.exe 18->27         started        signatures11 49 Multi AV Scanner detection for dropped file 20->49 51 Tries to steal Mail credentials (via file registry) 20->51 53 Tries to steal Instant Messenger accounts or passwords 20->53 55 Tries to steal Mail credentials (via file access) 20->55 57 Machine Learning detection for dropped file 25->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2/
Threat name:
ByteCode-MSIL.Hacktool.Lore
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 23:40:25 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=52qsq237cyhulcrxnj6gicyhnlccj6rl324embeiofpytcivfxra._file
Verdict:
malicious
Similar samples:
079a0f977b60a6115bcddb387d8783eeea8cdd7678369c01d0e7b8a6071bf123
09bdb0fb2e5689963f8375783abf0d87d2dbccc6a7ed8b03d7a53af29ab2c4d6
1f1bc6a65867b976dd8cdc00b6519b60b4da65af780f1636c447e5ebca91da96
41ec47ce62f13677c0c4576c97e299471072aa9ade05670ad0aefdbbd9187fca
a351faaa23105c8fde3cada56019c460dd7bc8579e027dfb56ef630e0b8649c5
a4c035de8a4edb11a8cfaef2f2f8326d8909578cf9d5a5534edd4eb9d5a50680
c0b1ba178d886a9d71fb7ffd5b169bf023021e13c545e3cd8d15461221dd2006
d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e
d7448da27fa5cbe7df2df781ef5763cdcbb31f6e99d756a03fb1ff577e7043a2
e9fb11df00c7a833b875f7c68fc6d5ee3edeeac7c63d85fc4897f6aef7596f7c
+ 1'296 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
spyware
Link:
https://tria.ge/reports/201105-rwaweqky36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Unpacked files
SH256 hash:
eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2
MD5 hash:
8601b471a1acbd6fb19b478b80c7b775
SHA1 hash:
a4efe73b8faf1e1c2ce238e77de089ef8bad9882
Link:
https://www.unpac.me/results/85b3c014-f3bf-4c05-b8b1-36a929d12d66/
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/85b3c014-f3bf-4c05-b8b1-36a929d12d66/
SH256 hash:
97bbf217ca600909c7cfa4e9a8001fd5178ab2a755f7ee3103247c77364719a9
MD5 hash:
5c8b4b8ff9518573014ae978dd24c943
SHA1 hash:
8cf9104f704c4419be70bae2c2ab6d971468c47c
Link:
https://www.unpac.me/results/85b3c014-f3bf-4c05-b8b1-36a929d12d66/
SH256 hash:
9790a6aa3d28d77d320c8f32938122c1212b7f6291daa7511f854a3fcd0fb037
MD5 hash:
6e53bc3c0364eefd1d448d25e026975d
SHA1 hash:
f11ea87b0638531f442b113feb19dbaae81ad518
Link:
https://www.unpac.me/results/85b3c014-f3bf-4c05-b8b1-36a929d12d66/
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/85b3c014-f3bf-4c05-b8b1-36a929d12d66/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 8896e338d4b9c19eb9c1bec5e01dfea8bc4543b6750f2894775870e883ff9756

Executable exe eea1286b7f160f458a376a7c640b076ac424fa2bdeb8460488715f8989152de2

(this sample)

  
Dropped by
MD5 3a44aae3cc0304aba98244b4c0b1808a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8896e338d4b9c19eb9c1bec5e01dfea8bc4543b6750f2894775870e883ff9756
Cape
Cape
https://www.capesandbox.com/analysis/83202/

Comments