MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
SHA3-384 hash: b147c540cade3d3a196e400169b08e39d47c05151b16ee05de2fdddcb01e6be322607cf94386842f62f19ea132bdf2f9
SHA1 hash: 0dd36daa5e379fb46087d7d75a26426d33f8a4da
MD5 hash: 0f66f7a1508c4d825e5c7d1d1a3f8d71
humanhash: happy-alpha-bluebird-nitrogen
File name:0f66f7a1508c4d825e5c7d1d1a3f8d71
Download: download sample
File size:4'189'184 bytes
First seen:2021-12-01 14:16:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:oL+Np1HpZDByWjY41sGr6O/34RNNIAXEdW7/IyJnZBf:oL6zByIqGrBvYNkdW7wYZBf
Threatray 1'808 similar samples on MalwareBazaar
TLSH T1A31612E8766072EEC457C472AEA96C78BBA079BB871F4013805365ED991C8C3DF254B3
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://cheats2021.site/1/test.exe
Verdict:
No threats detected
Analysis date:
2021-11-22 02:18:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/330febce-181e-421f-bfb3-3cad7bc5ac6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/210335/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Сreating synchronization primitives
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Launching a process
Adding an access-denied ACE
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61a783e0f9d950eb11b59b81/reports/8793fd72-5a0d-4c89-ba32-4eb57d60ea33/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f78b3a85-2921-4688-b3a0-737d91404882
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/899473
Signature
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8/
Threat name:
ByteCode-MSIL.Trojan.Tegbot
Create hunting rule
Status:
Suspicious
First seen:
2021-11-30 07:49:00 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
19f221e3d5d01b6f9d55d2effc6922902fe43f4efcdedcba5e2d8dd836f55eca
477e132d01be6d0173535f7dca9b686ec765caccb85a12ed8ad8e4afe81d98a3
55f1305bad8076d3c22ce42ca8e8383b04e4463cbcbd6b8d846422cbd2317a05
7fc3016705992d80a983c5de4cf83c1c75b3aae80c23eb00b7563cd97116181e
a26f73bdf4e245179dc1920119de2dc3b64a24f36e14ba324eba469e066bdc93
c87e6397cfee421392ddb68a814bc6370ff72ab3d32606ec147d66b8ed70db50
df1534cde336da3669ca6a0fc274df68ab3b76d03eb35223f3916692ede16ca2
e0d3d2a5eb8c5972bebd5f5b438eea137cc8d863e8df0dce8cd9a667d84aa594
e64cc16a4434a1db6a4d0d5bad1d22f8436a97b2c0309de90922495f6d925ed4
e8b1a240c6fad4dd2e7bd0b08a0681131f2804d64d58869e60ad333cddc58cb0
+ 1'798 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211201-rlpb1scggq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8
MD5 hash:
0f66f7a1508c4d825e5c7d1d1a3f8d71
SHA1 hash:
0dd36daa5e379fb46087d7d75a26426d33f8a4da
Link:
https://www.unpac.me/results/7c973669-9324-4a09-b01b-fa4818d9639d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0555b34b40f176362f5b9e070253358d8faec831f9675c03adfdb2929d168ee8

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1841893/
Cape
Cape
https://www.capesandbox.com/analysis/210335/

Comments


Avatar
zbet commented on 2021-12-01 14:16:30 UTC

url : hxxp://cheats2021.site/1/test.exe