MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2
SHA3-384 hash: f5ddfaa6890bbcef40f7843a55f0799821f1ae3d2a759e2ef74b4bba6d2d3afa1acab0696d14637965a25845857b77b4
SHA1 hash: 97ef92e404b63ab4130aabe20e6ae039dc6ba7ce
MD5 hash: fe8606e8ec0f1788ea9bb64f3ca50b4f
humanhash: oklahoma-neptune-moon-pasta
File name:fe8606e8ec0f1788ea9bb64f3ca50b4f
Download: download sample
File size:770'871 bytes
First seen:2024-10-18 07:42:26 UTC
Last seen:2024-10-18 10:39:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1c5b1beabd90d9fdabd1df0779ea832 (11 x CoinMiner, 10 x QuasarRAT, 8 x AsyncRAT)
ssdeep 12288:HLMEalqxXblqoRX5qbfphLxaOOlnSbuBKp7hTCCvqJeoREjGiYwi2yZwjdiV/mF5:rqaXNabfphLxaXShTqJpREdJdyZwjdic
TLSH T10BF4CF05E7E904F8E0B7E97899524902EB7B7D4E03719A8F13AC452B3F677909D3A321
TrID 76.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c9f0c4cc4c6d6d48
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
353
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fe8606e8ec0f1788ea9bb64f3ca50b4f
Verdict:
No threats detected
Analysis date:
2024-10-18 08:24:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/63fbde34-bf87-4e79-b3b1-accf2e03318f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Tedy.505650.15044.31046.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6712118b34f884d15c8c98f2
Tags:
Injection Dropper Exploit
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin microsoft_visual_cc overlay packed rijndael setupapi shdocvw shell32
Link:
https://www.filescan.io/uploads/6712118aeba55d23dc7f561b/reports/2accf1f4-afef-414a-94f2-3c595d6d0ab0/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2
Result
Verdict:
MALICIOUS
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e9b911aa-1e1c-4117-9871-2ec9db86c1de
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1536854
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f2zoocybhiopitvzl6ydkt4no66stihrwjqmervbqfvvbg5ye6za._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/241018-jj9aeavela/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/374b7b70-ce94-4897-baa7-be533e2fe047
Unpacked files
SH256 hash:
cdc2a6c64f02206faa4c008cbffdce4d8eae59dd302a46ba39a2d6af38c07819
MD5 hash:
35ce113e640683dbd5127519a0649205
SHA1 hash:
1d667adb15bb677878dd72d9ed6ca6b7bdd5cc4b
Link:
https://www.unpac.me/results/0c6d2f4d-8b44-47f0-8dcf-21798b288177/
SH256 hash:
9ee55b4c57a6c07fe95974edf0fe2eb751653f9c0ace1f83efc77d2c812966ce
MD5 hash:
a34cff348e9c7f1e7531c739b8887a22
SHA1 hash:
5ecc05b752a804037e7f19cb42cd198033f96c04
Link:
https://www.unpac.me/results/0c6d2f4d-8b44-47f0-8dcf-21798b288177/
SH256 hash:
2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2
MD5 hash:
fe8606e8ec0f1788ea9bb64f3ca50b4f
SHA1 hash:
97ef92e404b63ab4130aabe20e6ae039dc6ba7ce
Link:
https://www.unpac.me/results/0c6d2f4d-8b44-47f0-8dcf-21798b288177/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2eb2e70b013a1cf44eb95fb0354f8d77bd29a0f1b260c246a1816b509bb827b2

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3240620/
  
URLhaus
https://urlhaus.abuse.ch/url/3242316/
  
URLhaus
https://urlhaus.abuse.ch/url/3242399/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments


Avatar
zbet commented on 2024-10-18 07:42:26 UTC

url : hxxp://n.ddnsgratis.com.br/sitef/elopar/elopar.jpg