MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Anyplace


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33
SHA3-384 hash: 444ea051cdceaf6d148aea89ca0a2d08e99c317c01d9321c285bb8a12347fb4f1427a4766190595d60aaac8c02fb29be
SHA1 hash: e83a7b6c0f756d1ab505fdb92f8c2707ecb6784e
MD5 hash: 826108ccdfa62079420f7d8036244133
humanhash: island-lemon-nitrogen-dakota
File name:Comunicado Covid_HYREKILAKSHDGES_ENpdf.exe
Download: download sample
Signature Anyplace
Create hunting rule
File size:983'734 bytes
First seen:2020-04-14 08:50:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 24576:5Jlh9bDN+ApFWMAlGU5I4jQMcTIw8EUFEL:5JGATWBGU6TIn+
Threatray 261 similar samples on MalwareBazaar
TLSH AC25C0E1B7808471E4B36939983B9A63A437B51D9D68490D2BC1BF1F7D723424027EAB
Reporter abuse_ch
Tags:Anyplace COVID-19 exe RAT


Avatar
abuse_ch
COVID-19 themed malspam distributing Anyplace RAT:

HELO: srv03.infranetdns.com
Sending IP: 104.156.62.105
From: no-reply-invoice@es.epayworldwide.com
Attachment: Comunicado Covid_HYREKILAKSHDGES_ENpdf.rar (contains "Comunicado Covid_HYREKILAKSHDGES_ENpdf.exe")

Anyplace RAT C2:
anyplace-gateway.info:443 (76.72.163.161)

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Ransomware.Protected-6611653-0
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Gathering data
Threat name:
Win32.PUA.Anyplacecontrol
Create hunting rule
Status:
Malicious
First seen:
2020-04-14 10:21:38 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
28 of 45 (62.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77unxnmgl5kjhbzegl4wrsngda75663z6yvrpnijhl2qfbexzmzq._file
Verdict:
malicious
Similar samples:
07d34ae6bb632f04345eb39f5b4221f9a7e37145c55350222fcf191778a28d5e
Anyplace
0af65c358ae4d3f9db0fc6229e3fd6451c80b6143e0cfb56bdba9d36621ed584
Anyplace
0d852bfcbc49afecc18e426f7d694597966256d55c225a4ae798a7e98200b5ca
Anyplace
4f79aa8d648c5a999fb91196040b6b68db284ba1b892217563df71db9ae477f3
Anyplace
66fec3cb320e4c0e2ac1dde740bc27c8a4b2b1a81b6ae77951e66ec032461e31
Anyplace
76299e863b71caed1b9950d904d1b52a8174b9077c9d4bc896276881caa46fad
Anyplace
77146703fc5c722e50ccc571bcfcf55278f5cc86574f4b470ed382bf66447945
Anyplace
d322d619b77d7e1734dedd8f7f00c815fad6a59621ed9021be4a7866123c33a4
Anyplace
fa2305975aded0fd0601fdab3013f8877969cb873fb9620b4d65ac6ff3b25522
Anyplace
fbde44031b8acd00f624403184405b3fcf572c220c321ec82c29e7f9c3cbc233
Anyplace
+ 251 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Anyplace

rar 2196168d675e51bc9eba95a61b1d952a3587c9a7b33264c2ba11b070017cd2ae

Anyplace

Executable exe ffe8dbb5865f5493872432f968c9a6183fdf7b79f62b17b5093af5028497cb33

(this sample)

  
Dropped by
MD5 a8d36f975ca686b9e37ee7c8cc30a1cc
  
Dropped by
SHA256 2196168d675e51bc9eba95a61b1d952a3587c9a7b33264c2ba11b070017cd2ae
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments