MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
SHA3-384 hash: 7e1bdfaa5626738d6a95d7ed131312f851e130b304ad8cca4244a8df2d1a86aaff6bb91059594097eec6fa64d62e7ec5
SHA1 hash: 6eaea02ee0d59605234f10d2463c314cc34333bb
MD5 hash: c6d27eaff2fd1f517ae92ba9e831b8ab
humanhash: winter-muppet-louisiana-king
File name:熊猫烧香终极版_WIN10.exe
Download: download sample
File size:12'545'248 bytes
First seen:2025-01-05 13:33:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a56f115ee5ef2625bd949acaeec66b76 (53 x Stealc, 47 x PureHVNC, 28 x RedLineStealer)
ssdeep 196608:oQWoYWwkK0EnR6Qpyu0fMy2i4UyZjugRXgtnSfT8NlCjHZqgz3:+jWw1cVu6MWyZfwIw3Ctqk
TLSH T1BEC6336063506E5BED1027B549A6CB3C99007D265CB4A01DE4E0BE6F3237AD3AF4B47B
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.5% (.EXE) Win32 Executable (generic) (4504/4/1)
11.6% (.ICL) Windows Icons Library (generic) (2059/9)
11.5% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 33e8d4b2b2716063
Reporter zhuzhu0009
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
401
Origin country :
JP JP
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
熊猫烧香终极版_WIN10.exe
Verdict:
Suspicious activity
Analysis date:
2025-01-05 13:35:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17fc0d51-5c72-43f3-943c-316e9c66efca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownLoad4.14729.13913.4234.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677a8b26c029bd73f282e987
Tags:
vmdetect madi
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rebhip
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/679e8969-74bf-435c-9b4c-c53d08ac2ebd
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1584437
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Excessive usage of taskkill to terminate processes
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584437 Sample: #U718a#U732b#U70e7#U9999#U7... Startdate: 05/01/2025 Architecture: WINDOWS Score: 100 46 Antivirus / Scanner detection for submitted sample 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 3 other signatures 2->52 7 #U718a#U732b#U70e7#U9999#U7ec8#U6781#U7248_WIN10.exe 116 2->7         started        process3 file4 36 C:\panda.exe, PE32 7->36 dropped 38 C:\gamesetup.exe, PE32 7->38 dropped 40 C:\Users\user\AppData\Local\Temp\...\spec.fne, PE32 7->40 dropped 42 8 other malicious files 7->42 dropped 60 Query firmware table information (likely to detect VMs) 7->60 62 Excessive usage of taskkill to terminate processes 7->62 64 Hides threads from debuggers 7->64 66 Tries to detect sandboxes / dynamic malware analysis system (registry check) 7->66 11 gamesetup.exe 1 7->11         started        15 taskkill.exe 1 7->15         started        17 taskkill.exe 1 7->17         started        19 29 other processes 7->19 signatures5 process6 file7 44 C:\Windows\SysWOW64\drivers\spcolsv.exe, PE32 11->44 dropped 68 Antivirus detection for dropped file 11->68 70 Multi AV Scanner detection for dropped file 11->70 72 Machine Learning detection for dropped file 11->72 74 Drops executables to the windows directory (C:\Windows) and starts them 11->74 21 spcolsv.exe 11->21         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        30 conhost.exe 19->30         started        32 conhost.exe 19->32         started        34 25 other processes 19->34 signatures8 process9 signatures10 54 Antivirus detection for dropped file 21->54 56 Multi AV Scanner detection for dropped file 21->56 58 Machine Learning detection for dropped file 21->58
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3/
Threat name:
Win32.Spyware.Generic
Create hunting rule
Status:
Malicious
First seen:
2025-01-05 13:34:06 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
26 of 38 (68.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bxxtzoxmqtocoklwdnfeowinrcgpspwsbf6w37ln3j6twkkhd3zq._file
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery evasion themida trojan
Link:
https://tria.ge/reports/250105-qt3zpsvrcw/
Behaviour
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/71d4c6a2-51fd-44a5-9c8f-37703ced4da8
Unpacked files
SH256 hash:
056fbed996eb66200d4a1c6f2a01e1acbf065317cccc93a5ba0ba8d960e43097
MD5 hash:
70ea57866cb3d954bfe75c616eb908f4
SHA1 hash:
e0c49139c0d4138c0ba18425254e4bb734486ac1
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
e7d2753d55876f89967727e909d7bcbdf36653a8be2c5f9f57789fec4d4284ed
MD5 hash:
3520d3565273e41c9eeb04675d05dca8
SHA1 hash:
bb1d8fa7ee4e59844c1feb7b27a73f9b47d36a0a
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
d1d5f7cdc1ec41bba0ae3391d58409c8d710e5526559168cac5f0fdc510d245b
MD5 hash:
f5efa94419f190dd8b6af402efc8ac7f
SHA1 hash:
f8dfef0b9096d0bc9853548458d05612023f5d3a
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
a8b14f31098a191631696db5ddc77e029b48999542e0ec15b63df02220c66d37
MD5 hash:
dba5fdbe7ec94463b3f6fdf2162c9f95
SHA1 hash:
a97137b4f2b77166b2a23da1f58e0bdb7365f4f2
Detections:
win_xiaoba_auto
Create hunting rule
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
Parent samples :
05cc7a32e5a0023f9e1c790f97b069ccd27ada59ea8b9864f7f9069e3049663c
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
0b2a852742c7d974fe16a45a7c6fb5efcf7b03f19e7029f9c43284a2ea5be84f
b59199454fb6665bfd64c5a88d13532eb56b22735b83ba262cc643dd290d5f97
e30a9bee5ee26e31edbdd2654969551cbabd2694b8703539f768c04b53c19be0
SH256 hash:
0a12fcbe6832aad4143dd2ad87a60e9ff4f04fa440831f910557f820ba21fe18
MD5 hash:
9c80fda2e1e98f3ab0873a2ea3e6be7f
SHA1 hash:
6eac9c5ef36a4d799bdf683823a4f3e912f4f470
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
53483523c316ad8c022c2b07a5cabfff3339bc5cb5e4ac24c3260eea4f4d9731
MD5 hash:
7c1ff88991f5eafab82b1beaefc33a42
SHA1 hash:
5ea338434c4c070aaf4e4e3952b4b08b551267bc
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
58e5d6246a0555c2afeeac51ae12ecda459f377e87b92cb4d7a0ddc055abbbca
MD5 hash:
4ea6c6b972965aa0a0f11515ec46ec0c
SHA1 hash:
114f24efb002d64b93357c718167ba018a00b579
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
SH256 hash:
0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3
MD5 hash:
c6d27eaff2fd1f517ae92ba9e831b8ab
SHA1 hash:
6eaea02ee0d59605234f10d2463c314cc34333bb
Link:
https://www.unpac.me/results/22eaf6f8-d6ad-42e6-81be-3e84f46aed60/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0def3cbaec84dc2729761b4a47590d888cf93ed2097d6dfd6dda7d3b29471ef3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high

Comments