MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582
SHA3-384 hash: c6b0e3ed5a539d1a28d1febace0de5440b66e3d1dec5a94faf599e89e48a2c8dacdd4769d94799026140dd275e2e5de1
SHA1 hash: 8641829b3f307a77dbaac8bdb2cbac86b9407626
MD5 hash: 8e32d39c211901df18eb0eda157c76f6
humanhash: alpha-michigan-kilo-louisiana
File name:VWR CI 160421.xlsx.exe
Download: download sample
File size:1'603'072 bytes
First seen:2021-04-22 06:13:34 UTC
Last seen:2021-04-22 07:19:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:uzRRRRRKaH21rUleVEqwBivHpWkz4ZUGq:YRRRRRKaW1sjqOiok0Z
Threatray 4'440 similar samples on MalwareBazaar
TLSH D675E041B2A9C8BBE41723F1D896F5F422A57D44DA22912F359BBD1F75B334210A3E0B
Reporter theDark3d
Tags:malware zmutzy

Intelligence

File Origin
# of uploads :
2
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
VWR CI 160421.xlsx.exe
Verdict:
Malicious activity
Analysis date:
2021-04-22 07:19:07 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/689528d8-0b94-4996-be3c-87762815e481

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/143532/
Detection(s):
SecuriteInfo.com.Malware.AI.4275721012.25334.8046.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/692498
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Crypto Currency Wallets
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-04-22 07:09:29 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6j67uncjbjmv7cwztmed2syogfd3da6gkhsboyfqhazz4ra3qwba._file
Verdict:
suspicious
Similar samples:
0f97e6f8d53f551a068c3651d0c684f2813ff870b5cad591d536342aaf46a38f
222386adc9e4c25fd36319d0ad90f5e9eca14aa8cf3b3f3425dcb60a5fea4b30
3693a93f4ddbfa1eb9207e06cf87041b59b9b1ddfd866e6fbbbb52aaeae7ed83
4a91d67fc60a86db3fca975f88a5323819d92d5421be279751f29c8cf6a3f4d0
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
aba011b5f83793cebc1cfb4a1ef3aecbba7a3ea766abb459363b2d8bb51f3866
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
d814af14bc2fb8e5a66fd36a327eaadaea29269967ed6af99dc7c9ff3f7b8f28
da3f2156d9c0809395cf299e9818a43849a62226ab3b95fcdc0abd4eda78b3a6
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
+ 4'430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/210422-38q6m9gncs/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads local data of messenger clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/f27dfa34490a595f8ad99b083d4b0e3147b183c651e41760b038339e441b8582

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/143532/

Comments