MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642
SHA3-384 hash: aaac73340a99bb518976453eec41f70899ffa234bf914f2ece92c424db7b11fd36f9ddc5734716411cc093c447f5982c
SHA1 hash: 2431718f833d069017cecd9183c04bbe0ff33bd6
MD5 hash: d6ca72036582dc30495249924d120a72
humanhash: mirror-mobile-vermont-comet
File name:PO7535522.iso
Download: download sample
File size:2'230'272 bytes
First seen:2023-04-27 10:48:56 UTC
Last seen:Never
File type: iso
MIME type:application/x-iso9660-image
ssdeep 24576:ursUxXDsKyVTAUGyHbFcwuqTJFMHgBKV8ZW4psRIHNRB8nPeM2zypUrIQdzBI3VT:Ssg2++MQZRmmHNRyPdB1BVJtV
TLSH T176A5017B7E43FDE9EB750CB4D4C605254C8068BB831C60E4B8D8B7AE93E5854EA56CB0
TrID 99.2% (.NULL) null bytes (2048000/1)
0.2% (.ATN) Photoshop Action (5007/6/1)
0.2% (.CPT) Mac Compact Pro archive (5000/1/2)
0.1% (.ISO) ISO 9660 CD image (2545/36/1)
0.0% (.BIN/MACBIN) MacBinary 1 (1033/5)
Reporter cocaman
Tags:iso SWIFT


Avatar
cocaman
Malicious email (T1566.001)
From: ""Harvey Elienette (PURCHASE DEPT)" <harvey@marianeabernathy.ga>" (likely spoofed)
Received: "from postfix-inbound-v2-3.inbound.mailchannels.net (inbound-egress-5.mailchannels.net [199.10.31.237]) "
Date: "Thu, 27 Apr 2023 09:41:44 +0100"
Subject: "Re: SWIFT/ NEW ORDER/ PO753552"
Attachment: "PO7535522.iso"

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
CH CH
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:PO7535522.exe
File size:2'178'048 bytes
SHA256 hash: 9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536
MD5 hash: 5d0e6b60347b4816ddbe59c583387d5f
MIME type:application/x-dosexec
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.32422.15316.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
context-iso
Link:
https://www.filescan.io/uploads/644a531f0bac81e8385a3d6e/reports/d6cbbd27-f09f-4bd0-95c4-890be3cabd5c/overview
Verdict:
Suspicious
Labled as:
Mal/DrodIso
Link:
https://www.hybrid-analysis.com/sample/fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642
Result
Verdict:
MALICIOUS
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-04-27 08:44:34 UTC
File Type:
Binary (Archive)
Extracted files:
4
AV detection:
11 of 37 (29.73%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7zy2qhimkig6kupyattymwwk2py7jvtd57nsestss3nb4no2uzba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230427-pp2emshe41/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_office_path
outlook_win_path
Accesses Microsoft Outlook profiles
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

iso fe71a81d0c520de551f804e7865acad3f1f4d663efdb224a7296da1e35daa642

(this sample)

Executable exe 9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 9142931e43055d6363ee826270edf47ada8acc56ebca1084ca9ee2fcca579536
  
Dropping
MD5 5d0e6b60347b4816ddbe59c583387d5f

Comments