MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b
SHA3-384 hash: b312c654f3996dcdc79451e5c16ec0c58a0e66d4154754bbb3e9546e53bc408256e8d279eee6f046cb86dc2c7fa16753
SHA1 hash: 9ad55ebd756e27444a5e4e0dbf20cd6f8319e691
MD5 hash: ab1b39b8868549034a5d9d93b087f3ce
humanhash: wyoming-carpet-saturn-hotel
File name:SWIFT77266255378434pdf.exe
Download: download sample
File size:3'256'224 bytes
First seen:2021-01-06 07:19:15 UTC
Last seen:2021-01-06 08:33:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:SkDhFh+GRyXjOJb1aOPgzTvBpx7tfUfQHqBOy47gfR47lkU/gZFb5oi0jGguBn3e:SkWqJWxKfZi7gfR4a7o1uh3tcbbn
Threatray 103 similar samples on MalwareBazaar
TLSH 3CE5110277439E82C490B6B746A5DEF70356EC926AE07F073294736E69F66CE7D0C284
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: cpanel.sdatavision.com
Sending IP: 188.40.183.178
From: sales@efayrouz.com
Subject: Fwd: Swift copy
Attachment: SWIFT77266255378434pdf.z (contains "SWIFT77266255378434pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT77266255378434pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:25:50 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/9b3886db-30fa-438c-98c6-62c1bd1f58f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110684/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.21665.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/574856
Signature
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 336486 Sample: SWIFT77266255378434pdf.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 56 7 SWIFT77266255378434pdf.exe 7 2->7         started        file3 25 C:\Users\user\AppData\...\studiolined.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->27 dropped 29 C:\Users\...\studiolined.exe:Zone.Identifier, ASCII 7->29 dropped 33 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->33 11 studiolined.exe 3 7->11         started        14 cmd.exe 1 7->14         started        signatures4 process5 signatures6 35 Writes to foreign memory regions 11->35 37 Allocates memory in foreign processes 11->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->39 41 Injects a PE file into a foreign processes 11->41 16 AddInProcess32.exe 11->16         started        18 conhost.exe 14->18         started        20 reg.exe 1 1 14->20         started        process7 process8 22 WerFault.exe 23 9 16->22         started        dnsIp9 31 192.168.2.1 unknown unknown 22->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-06 07:20:07 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6clnuqtp3mwjyt5yt4tajy2czgj2t5jwzs4jhxxpdrkwwj5rh45q._file
Verdict:
unknown
Similar samples:
09cfbae308d3cbdf17c9c71920feee15faac8ae3c78cf70d88fffbe49e166f4e
0bd437789c9fbcd602cf9683800b11ed80bc6b8ba8f68cf6c5ced137a0bedbd2
0e770b4b1dff63afb16c1ca24f74e45905ab4e9baa1cd7ec48dada2deb252d8f
139d70b24d7cd96624f1559a68d903c5e80b690def1b68a185b9f389b6565fe2
144e3b521adb2f66b50fd33944e006ed93078559a0469ef44efad381d4865555
19d7b16a0a50b6eb2e79a6d04f1f4f8b17c9e82162ccdc0778cb0934af5b5657
48d549e9bbe11f4e45cd39a99f3668743076c63361d1e7fd7dedcd361b4cf368
7a538b979c2a126fb287ed7bbb18ac55687273dfbac2c09de85f073c9bf5e3df
f2475f5a4b0adee960b88ced8bdf3d8ab9a852fc084cecbaf9ba539bc27a4517
fd2a7682f371ab740d8691e13d1ab27f3919414019afd1b6ddf935394c59ba60
+ 93 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210106-n5rw323vme/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b
MD5 hash:
ab1b39b8868549034a5d9d93b087f3ce
SHA1 hash:
9ad55ebd756e27444a5e4e0dbf20cd6f8319e691
Link:
https://www.unpac.me/results/b23da904-d009-4f1f-89e2-4fdae95ec9ef/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/b23da904-d009-4f1f-89e2-4fdae95ec9ef/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/b23da904-d009-4f1f-89e2-4fdae95ec9ef/
SH256 hash:
3308013ae1a994790b3954fe262f74aff3d1d67ffe9634b5fd15e009e116ce26
MD5 hash:
d9f4f16986c6e58706cb42b3b1d41bd7
SHA1 hash:
90e1d39abb423f857e6b9e153089510bbefc2dc0
Link:
https://www.unpac.me/results/b23da904-d009-4f1f-89e2-4fdae95ec9ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.08
Link:
https://yomi.yoroi.company/submissions/f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8dbfa119408be11184c94300d1b456b7

Executable exe f096da426fdb2c9c4fb89f2604e342c993a9f536ccb893deef1c556b27b13f3b

(this sample)

  
Dropped by
MD5 8dbfa119408be11184c94300d1b456b7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110684/

Comments