MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522
SHA3-384 hash: bb2c6df28f546d37559dd3b35dddc15e2612e82ddbfe5ae1df499b7a627f2b64a58600f74f922f37cfb8a9b42bd0e850
SHA1 hash: 003f46f74bbfc44ffd7f3ebfec67c80cf0a07bbf
MD5 hash: 24b90157056913bef8c90b6319164afe
humanhash: twelve-august-princess-texas
File name:file.exe
Download: download sample
File size:293'621 bytes
First seen:2020-05-22 07:33:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 6144:msCwu+mWhJifvtNP/7YXSLB80PgWUGFLuhR3pOf+wy:bxmIJQvPkitVCR3pOfG
Threatray 255 similar samples on MalwareBazaar
TLSH 8D54B002F7C284F2D9721831492EAB14A67CBD301E14CA6FBBD47D6DDA710916336EA3
Reporter abuse_ch
Tags:exe RAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: del1.i.mail.ru
Sending IP: 217.69.138.183
From: Первый МГМУ им. И.М. Сеченова <govorov.nikolya@list.ru>
Subject: Нож в спину Трампа
Attachment: file.rar (contains "file.exe")

Unknown RAT C2:
bamo.ocry.com:8433 (207.148.126.141)

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

PUA.Win.Dropper.Nssm-6917179-0
Create hunting rule

PUA.Win.File.Generic-7109589-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Backdoor.tc.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Blocker
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 07:36:58 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
22 of 48 (45.83%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
0af65c358ae4d3f9db0fc6229e3fd6451c80b6143e0cfb56bdba9d36621ed584
3e79be51a78170ac177641b8225b22d37548617800ea0362733eeadc77445b98
43ed3081859def68a8b2ef50292e6d9dcbac7aea6ddb03de294fb9ed367c9f06
6ec6d3425cc3bdc664f5938119469a2947ad061dac33fafbd303998c9311a254
77146703fc5c722e50ccc571bcfcf55278f5cc86574f4b470ed382bf66447945
a7b2c2dfcb01c3c3b3dc945f3b8d1c907a4de8aba291241466a9da4c69492a29
b5e39716f576e5ff21e945560a98ee7ca7309491b2b7f2643728cd341b9c19de
c7962bac550ffe20ff69bbcecea355ea9689fa1e76506d3d8343f1b1f5619706
fbde44031b8acd00f624403184405b3fcf572c220c321ec82c29e7f9c3cbc233
+ 245 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro persistence
Link:
https://tria.ge/reports/201109-9kbbqpfhzn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Office loads VBA resources, possible macro or embedded object present
Drops file in Program Files directory
Drops file in Windows directory
Modifies service
Loads dropped DLL
Executes dropped EXE
Sets DLL path for service in the registry
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar f5978ab6b830a199251065c8a32b0a4900c73d56d605ef959430de2afbd82069

Executable exe fa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522

(this sample)

  
Dropped by
MD5 ff8f5705ed8a42f29bd96db86abf36c4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f5978ab6b830a199251065c8a32b0a4900c73d56d605ef959430de2afbd82069

Comments