MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
SHA3-384 hash: 9b18e2675028e45de8501e130700e31d0f14f471deb646960f9077af20a28e816ece60501c9479820d8115d2ce6a96d5
SHA1 hash: dc66d9a7dec86f3961f1c71498052fc166d2cbee
MD5 hash: b66c5b7075d1d8b866aaaa54be2719fe
humanhash: football-one-black-floor
File name:Production order List Quotation.pdf.exe
Download: download sample
File size:868'504 bytes
First seen:2021-01-16 07:32:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:qisS1A6ovor0EvLZ8nidRmOgFcLhxenAe4Ysm0OfT0F1S8AIHfkYMS90foXWIay/:qisS1AC
Threatray 19 similar samples on MalwareBazaar
TLSH F405708C6DB70F21E595F21BE2A4C16D673E9326F98EF7247F86A54C0D47706229BC08
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mx3.bangla.net
Sending IP: 203.188.252.14
From: Ms.Annette Sturm <br3242@bangla.net>
Reply-To: aggreko@emirates.net.ae
Subject: Fwd: Notice on the above Quotation and production order #
Attachment: Production order List Quotation.pdf.zip (contains "Production order List Quotation.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Production order List Quotation.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-16 07:47:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/82f36aef-dc29-41d8-b988-ed49e1286144

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112328/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45485812.28041.30540.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/582966
Signature
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses an obfuscated file name to hide its real file extension (double extension)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-15 17:17:53 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7j5z7bockieeqjzyoaa6hyit3meaafu27r46j4zqlyfb2nluxtgq._file
Verdict:
unknown
Similar samples:
5b8359668a34cfe71ccad1e1864a36c27a2174bd3ffe39216ae0e5e04031c1c1
657daa164ede98036b85e7bb6e7be68e22c900c1ba0c09a488f8247e048039c6
7a39af512f69ee9235b6b5e199beb2313a42ce4d6ec9b610c6e54a131c415bd8
8905819fcaa0d71e50cc1ec90e32258967e011878efb78f8db8893ad04a98174
90c467200110d06bb87d305adc23811c4a311ac7eef97a6fda38bf77d8e55cc4
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
c52ace76d94d2c7687a8c4bd529f86c343c05cc388df75432736b1c384f8677e
e88c90bd34759e75f02ca1b3413916e7e3bab94daa1fbb540cf87cb79000164c
eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
f3a47b8fdddf8c8f83ce7a337d32400002137f36d52d60ec5553339369e8bb28
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210116-5pprtjelh6/
Behaviour
Adds Run key to start application
Drops startup file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd
MD5 hash:
b66c5b7075d1d8b866aaaa54be2719fe
SHA1 hash:
dc66d9a7dec86f3961f1c71498052fc166d2cbee
Link:
https://www.unpac.me/results/bcaf90df-dca0-4e04-86b0-2d99ec7ec5fe/
SH256 hash:
ef36cbe79cd2da404700ecc43928ea2cf0ba4c4c982cd90a09b67af347027af9
MD5 hash:
b3cb4bb5a493d6bce48610ef01826bd5
SHA1 hash:
4bc6f7a207c8496845b6f346e7563efcd1e07c00
Link:
https://www.unpac.me/results/bcaf90df-dca0-4e04-86b0-2d99ec7ec5fe/
SH256 hash:
451d06c06f1b5654d8087fa2b347ad6933585c20bc98cbda79216c9289a48e0c
MD5 hash:
834e675b092701f7dfad280e2d5966e9
SHA1 hash:
af1b7c4824b04164419ee20f00c98eca54b6be2b
Link:
https://www.unpac.me/results/bcaf90df-dca0-4e04-86b0-2d99ec7ec5fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 0bfa1c0cc2f7c4e3951a979eedc117d31aca8b0b6c2cf19736fbbf62dfa902df

Executable exe fa7b9f85c252084827387001e3e113db0800169afc79e4f3305e0a1d3574bccd

(this sample)

  
Dropped by
MD5 b90ddf043efa5fce0572a30d050b79f4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0bfa1c0cc2f7c4e3951a979eedc117d31aca8b0b6c2cf19736fbbf62dfa902df
Cape
Cape
https://www.capesandbox.com/analysis/112328/

Comments