MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c
SHA3-384 hash: 06c14ba8ffb92e13bf8e926fb121ec1953bae498fa92f6fb48aa13c3978903a7ad19fae3122fee8dd02b2cbaf63e510b
SHA1 hash: 7b6423638e1a8497ea2a6cf2d868fd5cd3608c2a
MD5 hash: 746383a10231f3b6fa8d396596159716
humanhash: harry-may-eleven-oregon
File name:RFQ Request For Quotation.exe
Download: download sample
File size:1'051'699 bytes
First seen:2020-08-19 11:56:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bfffefca6535afcc9bd6b5d20058c57e (2 x MailPassView)
ssdeep 24576:y0BG9gGUvH+uwuQ3ciWjcD4yFPmnnygWAl9h:y0PGAeluyciYc/lqyTAbh
Threatray 2 similar samples on MalwareBazaar
TLSH A125DF9FE39380FDDDC40C30DA69A7F5946899D95A0105C39BCEEA1DD8E02F1273A61E
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smtp2.hiworks.co.kr
Sending IP: 121.254.168.210
From: 곽영권 <ygkwak@jmcheavy.com>
Reply-To: "곽영권" <ygkwak@jmcheavy.com>
Subject: SEND US YOUR QUOTE AND EARLIEST DELIVERY TIME
Attachment: RFQ Request For Quotation.zip (contains "RFQ Request For Quotation.exe")

Unknown FTP exfil server:
ftps4.us.freehostia.com

Unknown FTP exfil user name:
jumshi

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48479/
Detection(s):
Win.Malware.Xploder-7082344-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Launching the process to interact with network services
Launching a process
Creating a file
Launching cmd.exe command interpreter
Sending a UDP request
Launching the process to change network settings
Launching the process to change the firewall settings
Launching a service
Reading critical registry keys
Moving a file to the %AppData% subdirectory
DNS request
Sending a custom TCP request
Enabling autorun for a service
Firewall traversal
Stealing user critical data
Result
Threat name:
MailPassView
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/437834
Signature
Drops executable to a common third party application directory
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Modifies the windows firewall
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses netsh to modify the Windows network and firewall settings
Yara detected MailPassView
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271416 Sample: RFQ Request For Quotation.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 84 66 Yara detected MailPassView 2->66 68 Tries to steal Mail credentials (via file registry) 2->68 70 Machine Learning detection for dropped file 2->70 72 4 other signatures 2->72 11 RFQ Request For Quotation.exe 3 16 2->11         started        process3 file4 48 C:\Users\user\AppData\Roaming\...\ancp.exe, PE32 11->48 dropped 50 C:\Users\user\AppData\...\adobepdf.exe, PE32 11->50 dropped 52 C:\Users\user\AppData\Roaming\...\adobedf.exe, PE32 11->52 dropped 54 C:\Users\user\AppData\Roaming\...\Areada.exe, PE32 11->54 dropped 78 Drops executable to a common third party application directory 11->78 15 wscript.exe 1 11->15         started        signatures5 process6 process7 17 cmd.exe 2 15->17         started        process8 19 wscript.exe 1 17->19         started        21 net.exe 1 17->21         started        23 conhost.exe 17->23         started        process9 25 cmd.exe 10 19->25         started        27 net1.exe 1 21->27         started        process10 29 cmd.exe 2 25->29         started        31 xcopy.exe 11 25->31         started        34 conhost.exe 25->34         started        36 attrib.exe 1 25->36         started        file11 38 adobedf.exe 29->38         started        41 adobepdf.exe 29->41         started        44 netsh.exe 3 29->44         started        46 12 other processes 29->46 56 C:\Users\user\AppData\...\adobepdf.exe, PE32 31->56 dropped 58 C:\Users\user\AppData\Roaming\...\adobedf.exe, PE32 31->58 dropped 60 C:\Users\user\AppData\Roaming\...\ancp.exe, PE32 31->60 dropped 62 C:\Users\user\AppData\Roaming\...\Areada.exe, PE32 31->62 dropped process12 dnsIp13 74 Tries to steal Instant Messenger accounts or passwords 38->74 76 Tries to steal Mail credentials (via file access) 38->76 64 192.168.2.1 unknown unknown 41->64 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c/
Threat name:
Win32.Trojan.MereTam
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:58:09 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6wkcncq3kfslsca76z746qr7voho6hdalwmoqdpspezndhhqr4wa._file
Verdict:
unknown
Similar samples:
5eaaa3610c81bbd7e6a147290044c946aa661ae598af91b28ffb1cd67e5f9985
dff0bf7c85f01cf94f21c7bdd224fe0b3d73dcad9cb38fa40eef4685c9bc63ab
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/200819-dxv1y9esla/
Behaviour
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates system info in registry
Modifies registry class
Runs net.exe
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Launches sc.exe
Modifies service
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Stops running service(s)
Sets file to hidden
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
PassView
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip d3f0ee2f8e4bdb79adc9464fc9a83f00f5171a53ef73761efec1972b5780dc3f

Executable exe f594268a1b5164b9081ff67fcf423fab8eef1c605d98e80df27932d19cf08f2c

(this sample)

  
Dropped by
MD5 d4b245a94cab3189cd7f86f5deea3baf
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48479/
  
Dropped by
SHA256 d3f0ee2f8e4bdb79adc9464fc9a83f00f5171a53ef73761efec1972b5780dc3f

Comments