MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828
SHA3-384 hash: 0dd97be7d626dad9ab45658d4e7d4b10e4963e856e0a30491bc6971dbcdc775657897db5fbac804975cd10a5f2df346f
SHA1 hash: 6c73bc4ef612053492d30f154e15cc3aeefd2532
MD5 hash: d01fa93efa131511e5de7a0ae5cf2784
humanhash: hot-vermont-spring-music
File name:Odeme.exe
Download: download sample
File size:938'360 bytes
First seen:2023-05-11 07:19:49 UTC
Last seen:2023-05-11 20:31:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 12288:NcrNS33L10QdrXjDDnuNtYXWhaEfvZ3IHjhr/Rmj8fSUlZP2qwivLBGg7Nwekw:wNA3R5drXfDuU8v6VmwfSpqwONNVkw
Threatray 489 similar samples on MalwareBazaar
TLSH T10C151251F6D288F2E4731736493AAB20697D7D701E34D52EA3D879399A335C1A230FA3
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4919c98933222301 (1 x AsyncRAT)
Reporter TeamDreier
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
248
Origin country :
DK DK
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Odeme.exe
Verdict:
Malicious activity
Analysis date:
2023-05-11 07:20:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acd81902-b95f-40f3-b677-52f6dc14c22e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/388356/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.66809910.27586.13802.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Running batch commands
Creating a process from a recently created file
Creating a file
Unauthorized injection to a recently created process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83477/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed quasar setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/645c97251114aa6fd98aed97/reports/ee506579-431b-4618-b70c-da340115e0fc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4dd2376a-5ba6-44ae-a810-29d0688fb6fa
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1230603
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 863583 Sample: Odeme.exe Startdate: 11/05/2023 Architecture: WINDOWS Score: 64 50 Multi AV Scanner detection for submitted file 2->50 52 Sample uses string decryption to hide its real strings 2->52 11 Odeme.exe 3 10 2->11         started        process3 file4 44 C:\Users\user\AppData\...\hjnder.sfx.exe, PE32 11->44 dropped 14 cmd.exe 1 11->14         started        16 AcroRd32.exe 42 11->16         started        process5 process6 18 hjnder.sfx.exe 8 14->18         started        22 conhost.exe 14->22         started        24 RdrCEF.exe 55 16->24         started        dnsIp7 42 C:\Users\user\AppData\Local\Temp\hjnder.exe, PE32 18->42 dropped 54 Multi AV Scanner detection for dropped file 18->54 27 hjnder.exe 9 18->27         started        48 192.168.2.1 unknown unknown 24->48 file8 signatures9 process10 file11 46 C:\Users\user\AppData\...\hjbfdg.sfx.exe, PE32 27->46 dropped 30 cmd.exe 1 27->30         started        process12 process13 32 hjbfdg.sfx.exe 8 30->32         started        35 conhost.exe 30->35         started        file14 40 C:\Users\user\AppData\Local\Temp\hjbfdg.exe, PE32 32->40 dropped 37 hjbfdg.exe 32->37         started        process15 signatures16 56 Multi AV Scanner detection for dropped file 37->56 58 Machine Learning detection for dropped file 37->58
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828/
Threat name:
Win32.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2023-05-11 05:30:04 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bqnljugixpgzfq53yxjrnj2tmcsgieydn4kegowa2fjjwgtedaua._file
Verdict:
malicious
Similar samples:
029166bde069ee02c46c3541bfe4f9ff8c97d9ff353f814c716e2d1fbdb29c1f
1de2e96d4ccbc3954e5a7932b823f268e565639a0aac20e41fae23248d32d1a2
50780178c6e35fc1107aa6aacb09c6d1a46d2200f909a95836c88cb7c3651c0e
7d634d0e72cf25b8a305b16a5ce905d772b98bbb2cd2af5cb848b6473ad94741
8a5e19573add3781a34714103c8452490e482569d22afaf8c2e86cd92c9105e0
94530ce58a289fbba223ab50512183f2dc1003ab227b144d6ec21c15cc427cce
b8f91cb2906c890e58423e51c9b5a63fe8948668d7a09e8920aec5ef62834ba0
c9dac6cd36781a54842910fd785651b3a9f1a96c88c2f005dda29ac9ebcdb4dc
d6730b5c86821069b831e8414566f9837f6b6686230f82bada788a2786309eb9
+ 479 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230511-h535vacc66/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
d2b44f3f83d53ab8b9e4457db174dc1c588239f7501814b6659e9997fcfd2f67
MD5 hash:
75edf364d833f745c2d7580364007ffb
SHA1 hash:
d525550782a69de9d490dc38000d218b0c5fcd7f
Link:
https://www.unpac.me/results/e495c075-fbc9-48c9-aef4-d1cb91e5d359/
SH256 hash:
74859c664f2193af360bf8aaa38521b1f39311a8429d45496b48fca51025f05d
MD5 hash:
37a491bca0f6d741604791a5e52fe219
SHA1 hash:
84eafcdd59bb9579d40695c35fb78317b79ec4b3
Link:
https://www.unpac.me/results/e495c075-fbc9-48c9-aef4-d1cb91e5d359/
SH256 hash:
0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828
MD5 hash:
d01fa93efa131511e5de7a0ae5cf2784
SHA1 hash:
6c73bc4ef612053492d30f154e15cc3aeefd2532
Link:
https://www.unpac.me/results/e495c075-fbc9-48c9-aef4-d1cb91e5d359/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Executable exe 0c1ab4d0c8bbcd92c3bbc5d316a75360a46413036f14433ac0d1529b1a641828

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/388356/

Comments