MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe
SHA3-384 hash: 7ae43c326d5a52e5c4251d5776d1ed6f93f5e32ae377487ecbe37c8e852f015e01fb818ce89c87c533fab3ff7c8ef994
SHA1 hash: 3c6b724f1b99e660053a229c033775bce06f240c
MD5 hash: d50622bd93dcf0e0518ca34411e6f1d2
humanhash: football-eleven-tango-indigo
File name:Payment Advice Confirmation.exe
Download: download sample
File size:433'152 bytes
First seen:2020-11-09 16:11:37 UTC
Last seen:2020-11-09 17:56:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b92468b23209cac42d9c3c0c1d3de70 (9 x AgentTesla, 4 x AsyncRAT, 1 x Matiex)
ssdeep 6144:c+2F8TjfqhcZAOwAOFdqkx0PDVHUq29SuE7v5xJHyMgpjtNY/hlJMy+Gd:c+2FejfqhcZmsPX291E7B/HUp5m6Qd
Threatray 136 similar samples on MalwareBazaar
TLSH 3494E139B1F3C473C4B601B881484B7794B67D32077440BBBBE81E5E5E346E09A66B6B
Reporter abuse_ch
Tags:exe Hostwinds


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: hwsrv-799617.hostwindsdns.com
Sending IP: 192.236.146.33
From: Katherine MacLean <info@cantelmedical.com>
Subject: QUOTATION
Attachment: QUOTATION.LHA (contains "Payment Advice Confirmation.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.23873.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Modifying an executable file
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/526707
Signature
Binary contains a suspicious time stamp
Drops PE files to the user root directory
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312443 Sample: Payment Advice Confirmation.exe Startdate: 09/11/2020 Architecture: WINDOWS Score: 100 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected Generic Dropper 2->54 56 11 other signatures 2->56 7 Payment Advice Confirmation.exe 3 2->7         started        11 Payment Advice Confirmation.exe 2 2->11         started        13 Payment Advice Confirmation.exe 2 2->13         started        process3 file4 36 C:\Users\user\AppData\Local\...\guntad.exe, PE32 7->36 dropped 58 Maps a DLL or memory area into another process 7->58 15 Payment Advice Confirmation.exe 2 17 7->15         started        20 conhost.exe 7->20         started        22 Payment Advice Confirmation.exe 11->22         started        24 conhost.exe 11->24         started        26 Payment Advice Confirmation.exe 13->26         started        28 conhost.exe 13->28         started        signatures5 process6 dnsIp7 44 mail.chenklins.com 15->44 46 chenklins.com 89.45.67.200, 465, 49734, 49735 BELCLOUDBG Netherlands 15->46 34 C:\Users\user\explorer.exe, PE32 15->34 dropped 48 Installs a global keyboard hook 15->48 30 explorer.exe 15 4 15->30         started        file8 signatures9 process10 dnsIp11 38 136.144.56.255, 49730, 80 PACKETUS United States 30->38 40 194.167.4.0.in-addr.arpa 30->40 42 2 other IPs or domains 30->42 60 System process connects to network (likely due to code injection or exploit) 30->60 62 Multi AV Scanner detection for dropped file 30->62 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 30->64 66 4 other signatures 30->66 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 13:17:45 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7jnllixrrnb4kljncugia4an3gqkx7wzz652ojqzk23jb4kzlp7a._file
Verdict:
unknown
Similar samples:
0474ef132fa630cd40a4176e25893fd71f787f48c2516421a56ec21a39eba382
2719edd4501aae5818bb22c68a542d8a872fde8088175796674d3512445a4556
2b640d34fadaa474ab458cc7a312396ea6b58f269df9115dd934d79d1c869c32
4958190c440f4383001c67888d7e0f0f2ea6ab4976cfd0b2d0a165cf459a5b45
518628a52655227136f54842d662c8dfea11f017ac7ef02fd1d87080bbcbc831
94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
ae1030f0ff069ac50dea9f299186507db2223f47fc51d1952c92d4709ba56190
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
fda2f1b555d008c6788e72026c0a006fd702cab89a1eb67f350190ef4495a506
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-xvkt5vlzwj/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip b478fa6e7854b1f1ad09b34bec9a19319eb883aa9915fa113ce194cc225a24b2

Executable exe fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe

(this sample)

  
Dropped by
MD5 1ed26b3d41117ee8868ae56386179869
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b478fa6e7854b1f1ad09b34bec9a19319eb883aa9915fa113ce194cc225a24b2

Comments