MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
SHA3-384 hash: 54fd42cdb4d83aea54c6871966b0876ed009d8581afaa881cb2d9150dec27693db0d83e371385401971c29ab14dd367f
SHA1 hash: 0b2e3e7c6b77e1831c25d0250df1079f585764c1
MD5 hash: 764844558f1ddb9a9d4d64680df442e7
humanhash: glucose-colorado-mike-three
File name:SWIFT345343445pdf.exe
Download: download sample
File size:3'181'984 bytes
First seen:2021-01-06 07:16:06 UTC
Last seen:2021-01-06 08:34:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:1WGahbh+GRyXjOJb1aOPgzTvBpx7tfUfQHqBOy47gfR47lkU/gZFb5oi0jGgKBnC:1WGNqJWxKfZi7gfR4a7o1Kh3tw
Threatray 150 similar samples on MalwareBazaar
TLSH F0E5F0027643AD81C2D0B2B64FA6DDF70359EC8AA6D07E0632E46E5B71FE28F5D19305
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: sales@efayrouz.com
Subject: Fwd: Swift copy
Attachment: SWIFT345343445pdf.z (contains "SWIFT345343445pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SWIFT345343445pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:20:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db1bc7e1-9d84-4a5e-9ccc-02ed2f5171d0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110675/
Detection(s):
Porcupine.MSIL.GenKryptik.EYQW.99332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/574844
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-05 18:42:16 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6eeauk4mmsr4pon2omzwbz7hbfdylgzfb5hnoyfdl5yqjjynnwiq._file
Verdict:
malicious
Similar samples:
09eeb09143bbbf344c4734827f855275ca47a9e6eea0964158ce00076d12ef86
10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
446a57da424b148321083f32681f6394b8a8bf8cfe750054697922c091f30624
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
+ 140 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210106-d38fqm63nj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
MD5 hash:
764844558f1ddb9a9d4d64680df442e7
SHA1 hash:
0b2e3e7c6b77e1831c25d0250df1079f585764c1
Link:
https://www.unpac.me/results/70b1561c-49b5-4cd4-8d82-cf35740feab4/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/70b1561c-49b5-4cd4-8d82-cf35740feab4/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/70b1561c-49b5-4cd4-8d82-cf35740feab4/
SH256 hash:
3308013ae1a994790b3954fe262f74aff3d1d67ffe9634b5fd15e009e116ce26
MD5 hash:
d9f4f16986c6e58706cb42b3b1d41bd7
SHA1 hash:
90e1d39abb423f857e6b9e153089510bbefc2dc0
Link:
https://www.unpac.me/results/70b1561c-49b5-4cd4-8d82-cf35740feab4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

z eaa0ac45380e40992cb3c87c957b2d0d7dd1c883c8d0f1e670b1a47df53c15ef

Executable exe f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91

(this sample)

  
Dropped by
MD5 8b21b4dc64e393a419911de98558c3a8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110675/
  
Dropped by
SHA256 eaa0ac45380e40992cb3c87c957b2d0d7dd1c883c8d0f1e670b1a47df53c15ef

Comments