MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e
SHA3-384 hash: 4db3a840551226e08cfec258581bdb9a842dc9555616f2bf2dc222c2ec033b8d7368311decfec768d8ec528d66c04167
SHA1 hash: 4718dd599d5ae6f08093d1bc251b3564d71b1fc2
MD5 hash: 3f7feb8491c4b21321d60b2422d82e97
humanhash: magazine-apart-georgia-ohio
File name:3f7feb8491c4b21321d60b2422d82e97
Download: download sample
File size:6'447'104 bytes
First seen:2021-08-15 18:58:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 196608:/GSGzpnyRAiW9M5tfKY3QbZHEpVsv1LpOrx:/GSGzpytW9egk7OdO
Threatray 4 similar samples on MalwareBazaar
TLSH T10556339543F5B961E7732E700C8A2FCCB9C61ED6861639FEA22C1E31BF7545120E36A4
dhash icon cbc735195b9aca16
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3f7feb8491c4b21321d60b2422d82e97
Verdict:
No threats detected
Analysis date:
2021-08-15 18:59:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0270118a-6132-41a5-88b3-a505e9d650ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/179389/
Detection(s):
Win.Packed.Bulz-9886148-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
DNS request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/94350c2b-43dd-4abb-a11c-1ecb0676555d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/833216
Signature
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 465647 Sample: McBK62K838 Startdate: 15/08/2021 Architecture: WINDOWS Score: 68 32 www.google.com 2->32 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Machine Learning detection for sample 2->48 50 Machine Learning detection for dropped file 2->50 8 McBK62K838.exe 5 2->8         started        signatures3 process4 dnsIp5 34 193.32.191.215, 4444, 49734 BITWEB-ASRU Russian Federation 8->34 30 C:\Users\user\AppData\...\McBK62K838.exe, PE32+ 8->30 dropped 52 Creates an undocumented autostart registry key 8->52 13 powershell.exe 18 8->13         started        16 powershell.exe 18 8->16         started        18 powershell.exe 17 8->18         started        20 powershell.exe 19 8->20         started        file6 signatures7 process8 dnsIp9 36 www.google.com 13->36 22 conhost.exe 13->22         started        38 www.google.com 16->38 24 conhost.exe 16->24         started        40 www.google.com 18->40 26 conhost.exe 18->26         started        42 www.google.com 20->42 28 conhost.exe 20->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 18:59:06 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
afc5327b0243d34ef6b010802a517549e124a29aee025a59b7ea56fac3489e98
c274d34d71a4dfd793b69aeb11803f43d0f5a3e3e4117f7c34f658823bee14ff
e2702a0e03106dadd2707d92cd719283c2431903e6ce551fe351802fa180574a
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210815-f3ctzqypge/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e
MD5 hash:
3f7feb8491c4b21321d60b2422d82e97
SHA1 hash:
4718dd599d5ae6f08093d1bc251b3564d71b1fc2
Link:
https://www.unpac.me/results/1ba16bc6-e892-47c1-b6a9-6f46f1ca5521/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/129e52b2c93c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 129e52b2c93cc026192d8cc216c345ec4492e9f67e6e0a80daa3619c6857574e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1523521/
Cape
Cape
https://www.capesandbox.com/analysis/179389/

Comments


Avatar
zbet commented on 2021-08-15 18:58:04 UTC

url : hxxp://45.137.190.197/mine.exe