MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eef55ebcebb5f68e163f5870501630a8165f9b614d3fce592b2aa9e95e064b75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA File information Comments

SHA256 hash:	eef55ebcebb5f68e163f5870501630a8165f9b614d3fce592b2aa9e95e064b75
SHA3-384 hash:	f3fccfa02b02dbf202447f786e0111cb1aea05929e9c357b94b20f3fce0e72977f62380f966dfbed06c442fe312dd926
SHA1 hash:	7b6306e4d755e5227a1c3ce848e4334012ece78f
MD5 hash:	654f2b5a46f6bf26de12ff5daeb68f94
humanhash:	three-three-green-coffee
File name:	eef55ebcebb5f68e163f5870501630a8165f9b614d3fce592b2aa9e95e064b75
Download:	download sample
File size:	964'567 bytes
First seen:	2020-03-23 15:59:27 UTC
Last seen:	2020-03-23 16:18:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep	24576:VwS96h7spJ9du0DoI4rj52EN/trpoo/2aOP:V5v9rDoJrjEENBCo/0
TLSH	9425336F31854E11FDAB8B748A72697DCBBCCC05804176377B697C7E2D3A883A525283
Reporter	Marco_Ramilli
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Downloader.Soft32downloader-6691270-0

SecuriteInfo.com.PSW.Generic8.CJHS.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Occamy

Status:

Malicious

First seen:

2019-03-30 16:03:16 UTC

AV detection:

21 of 31 (67.74%)

Threat level:

2/5

Verdict:

malicious

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe eef55ebcebb5f68e163f5870501630a8165f9b614d3fce592b2aa9e95e064b75

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/169285/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA SHELL32.dll::SHFileOperationA SHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetDiskFreeSpaceA KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileA KERNEL32.dll::MoveFileA KERNEL32.dll::GetWindowsDirectoryA
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegDeleteKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::AppendMenuA USER32.dll::EmptyClipboard USER32.dll::FindWindowExA USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample