MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f
SHA3-384 hash: deae9d48c3c661ef4d8d23d41f5657dd7e14d52190d85475beec9b694998d046077c52f8d82562cfe5a536511e031da2
SHA1 hash: bcd4102e12bd8fb9378c56ae97fc8c8df94f0726
MD5 hash: 09121918ed94206111c47157f846ff37
humanhash: sad-crazy-eleven-orange
File name:2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f
Download: download sample
File size:5'046'272 bytes
First seen:2021-07-12 07:10:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 98304:gq1G1+iBgRIT7LE5puQgJgieKTnXfM9h+A2:FEnBgg7LE5EfrzTnX
Threatray 167 similar samples on MalwareBazaar
TLSH T121362A12FCA214E9C1BEE23086519322FA7178A983317BD35FD49A6A1766FD47B3D310
Reporter JAMESWT_WT
Tags:BIOPASS exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f
Verdict:
No threats detected
Analysis date:
2021-07-12 07:51:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ee99f242-f38e-4651-ba9e-56d7880ba7b5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170955/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.43297.18581.23937.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/013f11b1-3198-43b4-80d9-e070e28ea7bf
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/814610
Signature
Drops PE files to the user root directory
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 447021 Sample: ndrc8MHq4z Startdate: 12/07/2021 Architecture: WINDOWS Score: 76 88 flashdownloadserver.oss-cn-hongkong.aliyuncs.com 2->88 98 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->98 100 Multi AV Scanner detection for submitted file 2->100 102 PE file has a writeable .text section 2->102 104 Sigma detected: Execution from Suspicious Folder 2->104 13 ndrc8MHq4z.exe 57 2->13         started        18 VC_redist.x86.exe 2->18         started        20 ServiceHub.Host.CLR.exe 2->20         started        signatures3 process4 dnsIp5 90 flashdownloadserver.oss-cn-hongkong.aliyuncs.com 47.75.19.237, 49710, 49711, 49712 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 13->90 78 C:\Users\Public\vc.exe, PE32 13->78 dropped 80 C:\Users\Public\flash.exe, PE32 13->80 dropped 82 C:\Users\Public\ServiceHub\winsound.pyd, PE32+ 13->82 dropped 84 47 other files (none is malicious) 13->84 dropped 108 Drops PE files to the user root directory 13->108 110 Uses ping.exe to check the status of other devices and networks 13->110 22 cmd.exe 1 13->22         started        25 cmd.exe 1 13->25         started        27 cmd.exe 13->27         started        31 2 other processes 13->31 29 VC_redist.x86.exe 18->29         started        file6 signatures7 process8 dnsIp9 106 Uses schtasks.exe or at.exe to add and modify task schedules 22->106 34 powershell.exe 16 22->34         started        36 conhost.exe 22->36         started        38 schtasks.exe 1 22->38         started        40 vc.exe 3 25->40         started        43 conhost.exe 25->43         started        49 4 other processes 27->49 45 VC_redist.x86.exe 29->45         started        92 www.wshifen.com 103.235.46.39 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 31->92 94 www.baidu.com 31->94 96 www.a.shifen.com 31->96 47 conhost.exe 31->47         started        51 2 other processes 31->51 signatures10 process11 file12 72 C:\Windows\Temp\...\vc.exe, PE32 40->72 dropped 53 vc.exe 71 40->53         started        74 C:\Windows\Temp\...\wixstdba.dll, PE32 45->74 dropped 56 VC_redist.x86.exe 45->56         started        process13 file14 68 C:\Windows\Temp\...\VC_redist.x86.exe, PE32 53->68 dropped 70 C:\Windows\Temp\...\wixstdba.dll, PE32 53->70 dropped 58 VC_redist.x86.exe 25 18 53->58         started        process15 file16 76 C:\ProgramData\...\VC_redist.x86.exe, PE32 58->76 dropped 61 VC_redist.x86.exe 58->61         started        process17 process18 63 VC_redist.x86.exe 61->63         started        file19 86 C:\Windows\Temp\...\wixstdba.dll, PE32 63->86 dropped 66 VC_redist.x86.exe 63->66         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f/
Threat name:
Win64.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2021-02-23 15:43:51 UTC
File Type:
PE+ (Exe)
Extracted files:
9
AV detection:
11 of 46 (23.91%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0f18694b400e14eb995003541f16f75a5afc2478cc415a6295d171ba93565a82
30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe
7d0d7d416db5bd7201420982987e213a129eef2314193e4558a24f3c9a91a38e
9f34d28562e7e1e3721bbf679c58aa8f5898995ed999a641f26de120f3a42cf4
b9d0838be8952ebd4218c8f548ce94901f789ec1e32f5eaf46733f0c94c77999
ba44c22a3224c3a201202b69d86df2a78f0cd1d4ac1119eb29cae33f09027a9a
c8542bffc7a2074b8d84c4de5f18e3c8ced30b1f6edc13047ce99794b388285c
cce6b17084a996e2373aaebbace944a17d3e3745e9d88efad4947840ae92fd55
d18d84d32a340d20ab07a36f9e4b959495ecd88d7b0e9799399fcc4e959f536b
fb812a2ccdab0a9703e8e4e12c479ff809a72899374c1abf06aef55abbbf8edc
+ 157 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210712-tdwtg6anhn/
Behaviour
Checks SCSI registry key(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f
MD5 hash:
09121918ed94206111c47157f846ff37
SHA1 hash:
bcd4102e12bd8fb9378c56ae97fc8c8df94f0726
Link:
https://www.unpac.me/results/7b572a63-98b4-4c3d-be21-745409a8fc2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b580af1cdc4655ae75ef503aba7600e05cdd68b056a9354a2184b7fbb24db6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170955/

Comments