MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a
SHA3-384 hash: f11b1ae9ab55790242a51850aad5dbb8557db603a6ab32058c876083f2d684d9b5b0d939a4e6d8c6ad5528ecd4ba24d6
SHA1 hash: 4106494cca5ac6914504b15a0e895cd1f4ceed0b
MD5 hash: dc4a53d183206f20627879ded2edcf91
humanhash: speaker-juliet-spring-undress
File name:1dBpUZ.exe
Download: download sample
File size:14'848 bytes
First seen:2022-05-16 22:08:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 384:WKqxNbS464Jc9KlQXa2JBeYq3U+5S3UuX:23W46Z9+3UR3XX
Threatray 1'288 similar samples on MalwareBazaar
TLSH T14A62BA0B639A4379D5A10B76AD720BA64374D302BE4FDB4A6854E6163F73BC34E91B10
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 89f1f1e9b9e9d138
Reporter JaffaCakes118
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
242
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1dBpUZ.exe
Verdict:
No threats detected
Analysis date:
2022-05-16 22:14:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7115ec1f-1ea1-412d-b3b6-9975fe3561d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/271309/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe obfuscated
Link:
https://www.filescan.io/uploads/6282cb8722b733139c225254/reports/96abf3ed-bb80-4061-a4ca-f5c2bfb8e880/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ac2e36fe-8565-4598-a942-be614945b393
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/995404
Signature
Creates an undocumented autostart registry key
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Potential dropper URLs found in powershell memory
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected MSILDownloaderGeneric
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 627900 Sample: 1dBpUZ.exe Startdate: 17/05/2022 Architecture: WINDOWS Score: 88 27 ipbase.com 2->27 29 freegeoip.app 2->29 31 2 other IPs or domains 2->31 37 Yara detected Telegram RAT 2->37 39 Yara detected MSILDownloaderGeneric 2->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 2->41 43 3 other signatures 2->43 8 1dBpUZ.exe 14 7 2->8         started        signatures3 process4 dnsIp5 33 discordapp.com 162.159.129.233, 443, 49767, 49852 CLOUDFLARENETUS United States 8->33 35 cdn.discordapp.com 8->35 25 C:\Users\user\...\Quickbooksweb 1.1.16.5.exe, PE32+ 8->25 dropped 45 Creates an undocumented autostart registry key 8->45 47 Encrypted powershell cmdline option found 8->47 49 Modifies the context of a thread in another process (thread injection) 8->49 51 Injects a PE file into a foreign processes 8->51 13 cmd.exe 1 8->13         started        15 powershell.exe 23 8->15         started        17 1dBpUZ.exe 2 8->17         started        file6 signatures7 process8 process9 19 conhost.exe 13->19         started        21 timeout.exe 1 13->21         started        23 conhost.exe 15->23         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 22:09:04 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
7 of 41 (17.07%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
0332caaf051fed36cd7c7cd8c8ee52b196238673afa8f432873fbdf43336a31b
2a0767471616464cd417aca763961cb7cb7ed22ec096931afae4af1adcb1f700
3d5194f12c6b21b79d636f65e29f308aad0bfdd1cd7e00c54cb8488b1867ff9f
557a565c06f7afd0595510577dd1ff500c70fefe72a57fd2c12152353a3c1608
55b9b380e7b5173e1481af8f2379a2490f54dfef43324ed9dc71e21a48207a9a
5cfe7a77271ab8187988cdd1a9259c16cb636dcf6c63aceb977f62aa570ab419
b12ed3f10bbc4e4ade3f53856b19c7ab878eb023389a8b6c4c3c495a0ea97f86
f9f2aa7c6b6eb3e517db83b183bc85029fe0592ad99885e5a63e692215f0722c
+ 1'278 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection spyware stealer
Link:
https://tria.ge/reports/220516-12rlrabgf7/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks computer location settings
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a
MD5 hash:
dc4a53d183206f20627879ded2edcf91
SHA1 hash:
4106494cca5ac6914504b15a0e895cd1f4ceed0b
Link:
https://www.unpac.me/results/d1fe2690-f1f3-481d-83c0-5dc7e1ee543b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ab6fc39f65f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
Author:ditekSHen
Description:Detects executables Discord URL observed in first stage droppers
Rule name:SUSP_Discord_Attachments_URL
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PE file that contains an Discord Attachments URL. This is often used by Malware to download further payloads
Rule name:SUSP_PE_Discord_Attachment_Oct21_1
Create hunting rule
Author:Florian Roth
Description:Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN)
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 0ab6fc39f65f1c1d2196dcaa8ded12df941a3051c523d902f4e6458bd40a9e7a

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/271309/

Comments