MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de6705a5123be501fd35e7025b439b07fb0f43227b0bf071ff2167927a418da9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de6705a5123be501fd35e7025b439b07fb0f43227b0bf071ff2167927a418da9
SHA3-384 hash: c6b14aeb69a7c92b44253952ed2b0bd99fb81500ec2def0ecd728cb9311e6a1b368d33d5c292cc9f9dbc6b2c86979bba
SHA1 hash: bfbe22c286a071aa63601e98ce2e16433f821359
MD5 hash: e1b2163a2a98e68ede73b06862cc6842
humanhash: steak-oven-indigo-don
File name:ChampCup.exe
Download: download sample
File size:38'933'555 bytes
First seen:2022-11-12 07:27:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a6cec5b1a631d592d80900ab7e1de8df (3 x IRCbot, 3 x CobaltStrike, 3 x RedLineStealer)
ssdeep 786432:Tf+gX4BMdhwzTQXRbFbPpYFcSS5U/LT2KRVy45S31gDryVmddux7uyCCg:1XGMK4XRhbxSCU/+Oy45SSDryVQdux7u
Threatray 3 similar samples on MalwareBazaar
TLSH T110873341B6D808DBF4AA2735F5A7830BCD45F06987E3D7DB41200253449B7A63EBBB68
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
dhash icon f0c84c546c4cf8f0
Reporter milannshrestga
Tags:exe


Avatar
milannshrestga
Downloaded from /champcup.io/

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
NP NP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ChampCup.exe
Verdict:
No threats detected
Analysis date:
2022-11-12 07:28:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bebcad89-26f6-4779-8d73-adf50085d60f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51617/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/636f4b0520a0b4943a8f0b31/reports/3a36c081-95ca-4e43-9092-5747ecb49212/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/1111729
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ztqljishpsqd7jv44bfwq43a75q6qzcpmf7a4p7eftze6sbrwuq._file
Verdict:
unknown
Similar samples:
5e0eb79c69c7e3e88abf119505ee648f0980b190da91620e77e2bde0d892223d
7e699ba56009236e84633bd1b1d217bd658a0304d3138353094998779c69898c
832291f81a05ffa2de3e741812c0421cffae48f3abce407a5ba3e25bcb83a8d1
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/221112-janmcaec46/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Loads dropped DLL
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b68a7d3-71ce-46cb-80e0-dc833034e74e
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/de6705a5123be501fd35e7025b439b07fb0f43227b0bf071ff2167927a418da9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments