MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324
SHA3-384 hash: 9bdb291e7abe50f58f66415403d13389a413f6e10fde1864bd523ce5f0c3661d66527efaed820e095a87b22c513f7e57
SHA1 hash: 7eede9bfe1ff75a32afe0c40e687e51d0a5483f3
MD5 hash: aad373fe494695bf75daa18df9ddf7ee
humanhash: johnny-fix-hotel-friend
File name:PURCHASE ORDER.exe
Download: download sample
File size:3'927'552 bytes
First seen:2020-10-22 07:45:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:6F6KiR1fmNThxarDr2LkZrjIOZJ6YFNUkvwt/T3:6C1fmNThxa3rzFvZNUk4tT
Threatray 43 similar samples on MalwareBazaar
TLSH 37062391FB59EEE5E1670FF010B9980993765E9DA062CA1D08BBF5BE69333C20057D0B
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: stock.ovh
Sending IP: 51.178.87.221
From: wilsonlee <wilsonlee@ogcf-eng.com>
Subject: PURCHASE ORDER
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74558/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Blocking the User Account Control
Enabling autorun by creating a file
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 03:30:28 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qfjmdwzn2ncbfs4dbfh66mklqsrb5lhh7pdwitu4tvhvnddumsa._file
Verdict:
unknown
Similar samples:
02e422396eb123142575e0dcee9f629941c42543ae8839a931e2cc8eefecb9c4
1e23baead02d0a359125e72cddf8a5114f8167e3a1f11b6a79f0d1713531fabd
5388c70ef1d9bfc414a92c3aa4ea34db6992ee705813b5b4a2b4c28b435cbf6c
583e11d3579a63016e568fad73fb9f5ab64e32012ab1a0764f62191ced808078
6e7a5741c5cb3b394efeefd5cac1c71d023df73e4c19a02b9de64ea1a1ae4241
6eced51e9e9f798e79627188c69026a06a576021d112c8b94ed517f2576b009f
6f0c98efd3149c8527cf3f700d123da142275f32c166cf2ca2b186d1acc1286c
b3b1f3479b7d0033e21ef89ccea063a0281604d4472252cf590ec99be5aa2eb4
dc22665dc14ec019a9f8c421c938db597c2a1b9e439c4a0a0b6dc7b1330e75b8
f2848bb06faec26cdb7bf8df01c598641d0d73c8b7c58a7aed106e9864942cf6
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201022-mla7n1ppnn/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Checks whether UAC is enabled
UAC bypass
Unpacked files
SH256 hash:
f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324
MD5 hash:
aad373fe494695bf75daa18df9ddf7ee
SHA1 hash:
7eede9bfe1ff75a32afe0c40e687e51d0a5483f3
Link:
https://www.unpac.me/results/b51d5341-17cc-4f10-8ffe-bd2aa6c988c5/
SH256 hash:
5fd31c6563ba4868adfbe8be3e29664913f88ccdccca89fc4b6e05a9d15d9e2d
MD5 hash:
25faa5b67e597b427aaaa177d2228921
SHA1 hash:
1dd06d14727f5708f8a811bc5b6d29e5739edf9e
Link:
https://www.unpac.me/results/b51d5341-17cc-4f10-8ffe-bd2aa6c988c5/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/b51d5341-17cc-4f10-8ffe-bd2aa6c988c5/
SH256 hash:
825f4f7f883554c3d5beeaa3eec95142770093f90ee8f31e758b5f8df02da136
MD5 hash:
6a06b5565bc1a155c94a30beea8289e7
SHA1 hash:
c5f8e9398ebf59c08d1f9f2fef506c251bb20d29
Link:
https://www.unpac.me/results/b51d5341-17cc-4f10-8ffe-bd2aa6c988c5/
SH256 hash:
03b33dc314e4e48df7f4268c06da860e4f9e2a6440d22c05a5ffe40b10b7b54e
MD5 hash:
e539377f7742afed7dcc4aa5cc4f1691
SHA1 hash:
ce34e5376247792e764b9e57fab51e4df6854997
Link:
https://www.unpac.me/results/b51d5341-17cc-4f10-8ffe-bd2aa6c988c5/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 6d0f17f641e6d00d16f68ef3ecdde1a2aaab8742ba9d583be97e295613b692da

Executable exe f40a960ed96e9a20965c184a7f798a5c2510f5673fde3b2274e4ea7ab463a324

(this sample)

  
Dropped by
MD5 9428bf822f554dd34ed4e51839053459
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6d0f17f641e6d00d16f68ef3ecdde1a2aaab8742ba9d583be97e295613b692da
Cape
Cape
https://www.capesandbox.com/analysis/74558/

Comments