MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae
SHA3-384 hash:	67f7363df83369a614f6ac9b4d98356f0e8764e60dd6f7ac4ad2a13febe817f9ac5809a59705bdbdd5f7e486323d84b8
SHA1 hash:	f0722e275e583d2b18447cd290b5fb32958ac157
MD5 hash:	e89499aa9c03cfa2d6f09288e26bcf23
humanhash:	quiet-pip-whiskey-edward
File name:	Invoice_Ord000002341.exe
Download:	download sample
File size:	35'328 bytes
First seen:	2021-04-05 14:28:26 UTC
Last seen:	2021-04-05 16:01:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:VfN3dppcAb52RgnG8GKd0JUGfliGflvx/FIwVLk9TuCRJQOU2/:VfN3djcs52RoG89+JPoToY
Threatray	3'571 similar samples on MalwareBazaar
TLSH	B0F2E6ECC99D8EE2E02CF37243B7640E4674DD732941952B968C20974EE67E118DA8DF
Reporter	abuse_ch
Tags:	exe

abuse_ch

Malspam distributing unidentified malware:

HELO: m2.pay2go.com
Sending IP: 113.196.61.199
From: Caldwell Cole <service@m2.pay2go.com>
Subject: Payment Confirmation 0000034299
Attachment: Invoice_Ord00000023413.img (contains "Invoice_Ord000002341.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Invoice_Ord000002341.exe

Verdict:

Malicious activity

Analysis date:

2021-04-05 14:32:38 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/2e2386c8-49c0-4c3e-b06d-0b03b7539b05

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/132232/

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.73885.16769.1421.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Creating a file

Moving a recently created file

Running batch commands

Creating a process with a hidden window

Launching a process

Unauthorized injection to a recently created process

Adding an access-denied ACE

Creating a window

Sending a UDP request

Sending an HTTP GET request to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/9065d29f-b950-47e2-b082-7909bd49dc56

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/666112

Signature

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae/

Threat name:

ByteCode-MSIL.Trojan.Injuke

Status:

Malicious

First seen:

2021-04-05 14:29:07 UTC

AV detection:

12 of 48 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=524u2dhhee6fxdahbj67lg5htkxyesbwderjqa3iymjjlrtedkxa._file

Verdict:

malicious

22916cd876516df90c959904823fbc25a331cd7f8e70343cc05f4674128f07e1

54fada6c9bfdc946561633bf5e3788d1921b6635629c02b6ba9a91ad7c008b60

609aa18f8033b266001d86ce69104f81ce0d520df8e1718277bdf2479acb11e8

686eca2834dd77a34fa608e4cd4507c6ac57613a41a705ad848b81fe8dbfcec4

82621061b2fa95bfbad7d9c67b02fe68fcda03fd70ac628252fbade7a11e19d9

8c35b3d63f5644c97f5e9a1215ac4d9a4486eb78ff8a1410da52fa6853c99bf8

97a6b33da5bd1caba8bf16c1a6457bda8b50ccc25d154962e53d437a8c35661f

a115e321c5902daa72854362422ea2a6cafbc5c7fcadfad0b8d03944d14e32e8

b6177b19a010725f003f7828862f9217af33f3b38a517a40c94c7e8174a91c95

+ 3'561 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210405-63ghm93nj6/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae

MD5 hash:

e89499aa9c03cfa2d6f09288e26bcf23

SHA1 hash:

f0722e275e583d2b18447cd290b5fb32958ac157

Link:

https://www.unpac.me/results/6d273fa5-b2a1-417d-812b-a896ccb83c54/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/eeb94d0ce7213c5b8c070a7df59ba79aaf8248361922980368c31295c6641aae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time