MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
SHA3-384 hash: 66dc02ce37d42327cd4ce78321b6c0a03735ff033be7ad1a08050699d11d4cad3d4750c5c25c63a6ad718c24dea030c2
SHA1 hash: 2621f79b2143ae3704e814756e01d326d5145a5a
MD5 hash: 113badfe1404cd59640cad6b409acb98
humanhash: apart-november-fruit-alpha
File name:pdbmBxgGXitj.exe
Download: download sample
File size:4'853'760 bytes
First seen:2021-10-25 08:35:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 156f3c9ddc52718533dea60dbba4074c
ssdeep 49152:H1CeWPMk8XGPUStv3S6UNCGExH3kD5nngZTmTI+:Vckkt36NCGE29nng4I+
TLSH T1EF266BA3724C213AF16A2E794C2799649C3B6A5127168C5E7FF01C4C8F771817E3A62F
File icon (PE):PE icon
dhash icon 1769d3d2bc2c6117
Reporter AndreGironda
Tags:exe


Avatar
AndreGironda
MITRE T1566.001
Date: Mon, 25 Oct 2021 00:00-00:30 +0000 (UTC)
Received: from f79.user-online01.com (52.243.78.50)
content-type: text/html
Subject: ✅ <removed>, Pix Recebido com Sucesso- - ID:914767914767
From: BCO-CENTRAL <gerencia-central86236@f79.user-online01.com>
Message-Id: <20211025002820.F02423FB76@f79.user-online01.com>
Return-Path: root@f79.user-online01.com
Malicious URL: hXXps://res.cloudinary[.]com/dpxbbemsn/raw/upload/v1634858510/chegouseupix_d2av9g.html
Microsoft Installer Name: FORM_PIX XJTVCZG.msi
MSI SHA256: 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Unpacked DLL 1 SHA256: 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
Unpacked DLL 2 SHA256: 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b
Unpacked Executable SHA256: 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
Stage 1 URL: hXXp://ec2-18-231-149-132.sa-east-1.compute.amazonaws[.]com/mod2.zip
Stage 2 URL: hXXps://759c87514850247c.s3.us-east-2.amazonaws[.]com/0321F9132EC97FDC5EE532FF.zip
Stage 3 URL: hXXps://unterteks.eastus2.cloudapp.azure[.]com/gbuster/barman.php
Stage 4 URL: hXXps://pspentregasonline[.]com/cor/amarelo.txt
Stage 1 Zipfile Name: mod2.zip
Stage 1 Zipfile SHA256: e44b18cfc6e3ae2e161f1c5bf59716754f734a48b8cda07e42f32bc55bc07a4f
Unzipped DLL Name: rqvufRfLLN.dll
Culebra Variant DLL SHA256: 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
Unpacked Culebra Variant DLL SHA256: e6bf7bc4b7f5235a307f5253ef3595d8aa50fefcfdb141d0e75c108676a584cd
C2: 20.206.126.228:55516

Intelligence

File Origin
# of uploads :
1
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2.zip
Verdict:
No threats detected
Analysis date:
2021-10-25 03:24:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0d4c765f-0a8b-4f65-8602-22fe8e3d55a6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199848/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6176a37d9a5a1e91c5d20dc0/reports/07a80fde-f604-48db-b86e-e86b8f67fc8d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2fb51a66-4e90-41ad-9c4e-5e68aae0c666
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
6 / 100
Link:
https://www.joesandbox.com/analysis/876104
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a/
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211025-khk2vsgggn/
Unpacked files
SH256 hash:
35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
MD5 hash:
113badfe1404cd59640cad6b409acb98
SHA1 hash:
2621f79b2143ae3704e814756e01d326d5145a5a
Link:
https://www.unpac.me/results/5c905731-0bb6-46ed-b717-267c71b11e7e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Metamorfo

Microsoft Software Installer (MSI) msi 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

Executable exe 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a

(this sample)

  
Link
https://tria.ge/211025-c7zybafeb5
  
Link
https://app.any.run/tasks/492835fc-937e-4b02-8c30-f26d6ddb0740
  
Dropped by
SHA256 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/199848/

Comments