MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e
SHA3-384 hash:	35d674e05ea459ae4be0d54b7d712ef9c204b8d68d4398fbdcc51f1bac9cd7c6fa78828dc12bc604cd2f6966ac9df550
SHA1 hash:	a8f25c537954152b9b3eb46d2d2a0b3f90743e7c
MD5 hash:	4c63a73407440f6c1acd37e6dcbe7677
humanhash:	mississippi-rugby-cup-oranges
File name:	Build.exe
Download:	download sample
File size:	1'338'880 bytes
First seen:	2020-08-27 07:51:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	24576:JG/l8dcT9yLxBcBIY/+lYEsmCKBCCCYArsjXK3FGyrPus:JG/D9UxB2WlY3mxgXzrIXK8g
Threatray	13 similar samples on MalwareBazaar
TLSH	A25533020980158EE45DC1B3D4E9AA7B92964FCAB0CDD79B2EB114CED11722FA4D37E7
Reporter	3xp0rtblog
Tags:	Clipper E-Clipper

3xp0rtblog

https://bazaar.abuse.ch/sample/ff93ab320749a17363f81262c5721627fb11ba13b39df725fdf75394e25859f9/

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/51658/

Detection(s):

SecuriteInfo.com.EXE.Obfus-4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a file in the %AppData% subdirectories

DNS request

Sending a custom TCP request

Creating a window

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/452351

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e/

Threat name:

Win32.Trojan.CryptInject

Status:

Malicious

First seen:

2020-08-20 04:16:10 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Verdict:

malicious

2ba0f2e22ed07ca3188c898a0c9256fd30e878916ebe669ed52b25cb18d5ccde

2d403f971f502d2423b11dcca6424edc460b6c290cb76107d7f36a37565791e8

4d9b89978e6ca9cf14cb1f04859e01e66c1e0dbefedd1663617647535c0b3fa0

6005ff1373b7a3600ad4b5700b4d9b6c13827015a97fea1b030189655bd8e986

6057a10b27aebb92f7d961ce23929dc41579f6da1dcbf28572d8c5f0ffac488b

632562060da02f7ed5e92b1fe1bd94ce8d993cb134e93f8294beade2f0f42974

758c9e9642b467c181548b07d7d47e32e2e37ce7298e0d89674fdbcbe13eb50e

b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218

b9c037384eaa82706baf7c3cd5e1550fe9ad24083edeb00e55d9da8198ea6ee3

+ 3 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion persistence

Link:

https://tria.ge/reports/200827-hnkz9jgbk6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks BIOS information in registry

Identifies Wine through registry keys

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Themida

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/fbe27506c78a9c364bdadfbdbcfe6c60a436aa3c06c0d83494ef4edda50cd93e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

any.run

https://app.any.run/tasks/64122185-4c66-4b84-a1d8-8d4379ba8fc8/

https://twitter.com/3xp0rtblog/status/1296149569521229824?s=20

Link

https://github.com/3xp0rt/E-Clipper

Cape

https://www.capesandbox.com/analysis/51658/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample