MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
SHA3-384 hash: 54ac1daab2bd982d0535dcd8889a8957fb212856da47e3f2dda45dc77ed98d2ae31596de66b7a62aa5912d5110205bbf
SHA1 hash: 2b2572ca2b908413cf2930908ad5172642dac253
MD5 hash: c11d152b1b654aa552b9f248046975f1
humanhash: salami-three-moon-skylark
File name:KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe
Download: download sample
File size:1'158'656 bytes
First seen:2021-04-05 06:35:34 UTC
Last seen:2021-04-05 08:24:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:3D5VlK6t1HbIYBfRdtKYRVbDPeMNJrXSYenxnJ:z5VlK65bIyRdUYnG8rX2n
Threatray 3'620 similar samples on MalwareBazaar
TLSH 1F35F01176805204E8AA2F341827C67503B3FE46BD2DE65D6CCDBD4F7F33A968712692
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-05 06:52:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/37ed7425-bf0a-4394-8a62-f125e12b0a97

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132166/
Detection(s):
SecuriteInfo.com.ArtemisC11D152B1B65.21320.23295.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4b0f7bb0-e701-4f5a-ae8c-ec7e372f790e
Result
Threat name:
StormKitty
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/665842
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected StormKitty Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381851 Sample: KUWAIT NATIONAL PETROLEUM C... Startdate: 05/04/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Detected unpacking (creates a PE file in dynamic memory) 2->62 64 Yara detected StormKitty Stealer 2->64 66 9 other signatures 2->66 8 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 3 2->8         started        12 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 2->12         started        14 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 2->14         started        process3 file4 42 KUWAIT NATIONAL PE... (KNPC).pdf.exe.log, ASCII 8->42 dropped 68 Injects a PE file into a foreign processes 8->68 16 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 2 21 8->16         started        20 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 12->20         started        22 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 12->22         started        24 KUWAIT NATIONAL PETROLEUM COMPANY (KNPC).pdf.exe 14->24         started        signatures5 process6 dnsIp7 44 snacksnco.com 146.71.86.122, 465, 49744 SHOCK-1US United States 16->44 46 mail.snacksnco.com 16->46 52 Writes to foreign memory regions 16->52 54 Allocates memory in foreign processes 16->54 56 Tries to steal Crypto Currency Wallets 16->56 58 2 other signatures 16->58 26 AppLaunch.exe 2 16->26         started        29 AppLaunch.exe 5 16->29         started        31 InstallUtil.exe 15 2 16->31         started        34 InstallUtil.exe 16->34         started        signatures8 process9 dnsIp10 70 Tries to steal Instant Messenger accounts or passwords 26->70 72 Tries to steal Mail credentials (via file access) 26->72 74 Tries to harvest and steal browser information (history, passwords, etc) 26->74 36 WerFault.exe 26->36         started        38 WerFault.exe 23 9 29->38         started        48 api.anonfile.com 45.148.16.46, 443, 49717 OBE-EUROPEObenetworkEuropeSE Sweden 31->48 50 192.168.2.1 unknown unknown 31->50 40 WerFault.exe 31->40         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7/
Threat name:
ByteCode-MSIL.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-04-05 06:36:10 UTC
AV detection:
4 of 48 (8.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74t3v7ip54hm53gg57zodkfqcgywcxo7mrputm2xjrgsg7lqoxdq._file
Verdict:
unknown
Similar samples:
066cd9770911c86ad9b050f137ca0684413929fbd84a0cfb22013aa534d24523
198c41255ba24b553540eecc84e89e0a9c367798c2c980c9e871e30f32bb9db4
57bc81f09c26a67ebfbf6ed01a86c622b298fcb166ed09e93c4a03db6be28910
629b3cae35bc68dd937d25e65631dcaa81a436286292c0be2d308708964f4417
8dd5ff17f444a8642bcd3601849987c6c202eaf344ba4dc606a216adffbdae4d
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
b2ccefc9809053d0d590ad346ee8a3fc38ff405eefb28b9e4d8fb287bee761a8
b68f5ac35664e0403a586d06179c9d4f053f0689b601effe9f9c081d2b32f3cd
bc9cc50af2bb6edf9a3c343311bfc20f90b5244e4d126c22a41a3d2475f2ef76
ed4351f2a2d480f3bc7e25389753b9c640cf34b7b2b9a0cab16aae41754eb5a1
+ 3'610 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210405-wn887r9gtn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/483bb998-c64e-48b6-a48e-82d0d1c029ac/
SH256 hash:
ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7
MD5 hash:
c11d152b1b654aa552b9f248046975f1
SHA1 hash:
2b2572ca2b908413cf2930908ad5172642dac253
Link:
https://www.unpac.me/results/483bb998-c64e-48b6-a48e-82d0d1c029ac/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe ff27bafd0fef0eceecc6eff2e1a8b011b1615ddf645f49b3574c4d237d7075c7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132166/

Comments