MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 14

Intelligence 14 IOCs YARA 6 File information Comments

SHA256 hash:	012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2
SHA3-384 hash:	ee4825cdd48564ae6b7d9aeb7f1b36723424b1f8f1dde883c4d418862dec669c8a3568fe68e14b88a2dd4d0f7378265a
SHA1 hash:	eefb1b43496c24994f99ba0ad0687dcce06b40fa
MD5 hash:	c07d929fe7f018d5ff91ee64342ebb64
humanhash:	magazine-december-mirror-whiskey
File name:	2023-02-05_c07d929fe7f018d5ff91ee64342ebb64_magniber
Download:	download sample
File size:	6'963'712 bytes
First seen:	2023-02-05 18:18:03 UTC
Last seen:	2023-02-06 05:14:28 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	98304:gnsmtk2aWWanxBhCuAmNimxl74FqaZZk8ymjcvnvXUU7uSmnhRZe:+L6uCuhJaZulnvXtDOhRZe
Threatray	1'570 similar samples on MalwareBazaar
TLSH	T15F66D001FBD2C172D963017508AA931E9979BA151B305ED7F3D81F0E5E322D26E3B29B
TrID	72.8% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 21.6% (.CPL) Windows Control Panel Item (generic) (197083/11/60) 1.5% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.1% (.EXE) Win64 Executable (generic) (10523/12/4) 1.0% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
dhash icon	e84e332b2b338de8
Reporter	petikvx

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2023-02-05_c07d929fe7f018d5ff91ee64342ebb64_magniber

Verdict:

Malicious activity

Analysis date:

2023-02-05 18:21:27 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/63d8af67-8fc0-4468-87a8-7802512dbf26

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360442/

Detection(s):

PUA.Win.Packer.D1s1g-5

PUA.Win.Packer.D1s1g-1

PUA.Win.Packer.D1s1g-2

Win.Trojan.Emotet-9850453-0

Win.Trojan.Generic-9936029-0

Win.Malware.Delf-6899401-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Moving a recently created file

Searching for the window

Creating a file in the %temp% directory

Moving a file to the %temp% directory

Modifying an executable file

DNS request

Sending an HTTP GET request

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Infecting executable files

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65451/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug cmd.exe emotet evasive fingerprint greyware hacktool keylogger macros macros-on-close macros-on-open msiexec.exe obfuscated packed packed shell32.dll

Link:

https://www.filescan.io/uploads/63dff3172d4f6d560e244ece/reports/7c6bd44f-fb10-43ce-bd07-d70619d9c811/overview

Verdict:

Malicious

Labled as:

Delf.NBX virus

Link:

https://www.hybrid-analysis.com/sample/012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/122ba27b-6027-4c60-b97e-6bca8150dc81

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1166087

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Drops PE files to the document folder of the user

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2/

Threat name:

Win32.Worm.Zorex

Status:

Malicious

First seen:

2021-09-06 11:17:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

36 of 39 (92.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aewo3tkrrgbcrw4l7cy2z7ee7wwdx7hob66fxynmyhognok2cxja._file

Verdict:

malicious

5f8e4f09fc35eba76368e70dcdfb861b1d19b7155678f0299befef9c3156919f

98f57a58e8c04c7905cd96329487ea551f61ec1265d991f502fe7413254def12

a49f6e00c0468e074fa2204a7862c22aa3b934af4f2bb281c55d8bb65da67e44

a4bdfb7869d435589479e095b8d0c9c2b8f987bd3a8c961424376f18c31c650f

ca6de5ed4051ec20b8612d30b3962397fa0b6e209a2d223cef37708150e48df4

f080bf1c00fb050cc2a92fb17c08cd22d427782c6f47c532a2462ce3325905f0

f08f4ef5a25eb5b4cda69a00e368c26177fef73e69f3ae34e291b61784a16f82

f954f5ad26b3efdfe4607fa4b0ff25fb82f7284490b283e2fda53b911e88094e

+ 1'560 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence

Link:

https://tria.ge/reports/230205-wxm1jsdg5x/

Behaviour

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Unpacked files

SH256 hash:

012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2

MD5 hash:

c07d929fe7f018d5ff91ee64342ebb64

SHA1 hash:

eefb1b43496c24994f99ba0ad0687dcce06b40fa

Detections:

win_retefe_g0

Link:

https://www.unpac.me/results/12f65f77-9c5b-46b4-80ac-5b0d895f31f9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/012cedcd5189/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/012cedcd51898228db8bf8b1acfc84fdac3bfcee0fbc5be1acc1dc66b95a15d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_GuLoader Create hunting rule
Author:	ditekSHen
Description:	Shellcode injector and downloader

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	yara_template Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/360442/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample