MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03870d02acc6e280b035822949dc6cc3b576cbc487497d0f358c3e05d969a23a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 03870d02acc6e280b035822949dc6cc3b576cbc487497d0f358c3e05d969a23a
SHA3-384 hash: 278ff1e1bd4e98e2168d138f8a2f5f19b54711f253fd8ab61fa0615c40fc03d37a83e0b2d155c48b27a1b04c31385297
SHA1 hash: c46b1c48ec8f9f4ee7011fc33e5b8cba492ae347
MD5 hash: ec5320ddd3845cdebefdc9f719b91a9b
humanhash: march-berlin-kentucky-oxygen
File name:SecuriteInfo.com.PSW.Generic13.ARKD.17766.27450
Download: download sample
File size:242'176 bytes
First seen:2020-06-19 14:43:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc2975df0525e0cb76433764a004590d
ssdeep 6144:WtU/jHnrDMSO1EtJ5A4D6gCNE2m7q/v0HgwW:Wm8SO1oJu4u9lm7qhwW
Threatray 77 similar samples on MalwareBazaar
TLSH 82348D13B152C531E6B300B049AAD7E2267D7C762B2A95D37B983F7E9B701D0AA35307
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9596/
Detection(s):
SecuriteInfo.com.PSW.Generic13.ARKD.17766.27450.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Bebloh
Create hunting rule
Status:
Malicious
First seen:
2018-03-13 07:52:02 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0113bd3f12bff0f48245769e98360ce71e60eb89cf91864428d8f313d6d7b395
335c0e4430a08956f796611b3ebf273117e784ee1d728d7b8fcb9997c98735cc
3bbfbe3de9cb174f9d7c579f5e404482778924df85eb4b9daa03a274fc91eb91
5e9d81a4ddccdf9d0b6d6b940c2091b2f2b89d360244e61256b19db94904b100
89c7c8a795578ef239fef68fe949c29f50f7f40833f6eb87eabf66cae290eab6
b78996718e94fe9cf9cc228f474b774fd7bd54133762d183ba2e6c141b3a218a
bbeaa86003be4d14ff5643c47d20ca8a44e4d7e655bda8a93439fbe7dd4e9066
c3be55a58b2afa08ba8520d981c50ab773113da36b139985ad16e5fab39ac145
e11ef3018a3163e4f03ec0a5ec6f300817c5f44cc6ecf86dc2d0aeb4a7327835
f5c5eace359aec6749e2f0916424f1284ecb5cf4f3b7d2678dd3fc1907925cec
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201109-8z582br3ex/
Behaviour
Checks SCSI registry key(s)
Checks BIOS information in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_Methodology_Artificial_UserAgent_IE_Win7
Create hunting rule
Author:Steve Miller aka @stvemillertime
Description:Detects hard-coded User-Agent string that has been present in several APT37 malware families.
Rule name:Bebloh
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Bebloh(a.k.a. URLZone) in memory
Reference:internal research
Rule name:IMPLANT_4_v10
Create hunting rule
Author:US CERT
Description:BlackEnergy / Voodoo Bear Implant by APT28
Reference:https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE
Rule name:win_urlzone_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_urlzone_g0
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de
Description:2013-07-10 URLZone Banking Trojan

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 03870d02acc6e280b035822949dc6cc3b576cbc487497d0f358c3e05d969a23a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/78/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9596/

Comments