MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
SHA3-384 hash: b090206bf6e1ebe813995b50be61f3c9467073941392d952b11c0e926854b59ea71792b9f85798ab76a606c24b6fe284
SHA1 hash: e76853f6742b76f94d8dd2cb4864cd265e52bf08
MD5 hash: 7afac9710e7ce1ff9b3b876702a8da03
humanhash: romeo-nevada-may-earth
File name:WB.exe
Download: download sample
File size:8'212'480 bytes
First seen:2021-01-10 09:04:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c48672e40f3ef84d274746ae4642c43
ssdeep 196608:Jx1BUfEjCaD8hZT+oJOtGjdwfdY6p/Xp4JFOU:DKBl+4kXH/Xp4v
Threatray 98 similar samples on MalwareBazaar
TLSH 72863339B5D280F6D741243108A6777B9A7ADB051B15CF83D75CEE2A2C23283963727B
Reporter LoveKaspersky
Tags:backdoor phishing

Intelligence

File Origin
# of uploads :
1
# of downloads :
438
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111154/
Detection(s):
Win.Tool.Shadowbrokers-9800457-0
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYAW.21626.24156.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Atros5.AYKO.23902.316.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Atros5.ARWW.22944.20661.UNOFFICIAL
Create hunting rule

Win.Exploit.EQGRP-6322722-0
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXIG.32225.7220.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYAY.21834.10148.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYAX.9418.28571.UNOFFICIAL
Create hunting rule

Win.Exploit.Doublepulsar-7427328-0
Create hunting rule

Xml.Exploit.EQGRP-6322720-0
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYFW.18517.7054.UNOFFICIAL
Create hunting rule

Win.Exploit.Eternal-6320394-0
Create hunting rule

Win.Exploit.EternalBlue-6320312-0
Create hunting rule

SecuriteInfo.com.Worm.HAK.25916.271.UNOFFICIAL
Create hunting rule

Win.Trojan.Agent-6284386-0
Create hunting rule

SecuriteInfo.com.Worm.HAJ.16325.18140.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXIH.5076.5462.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXVR.20684.25408.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.SCGeneric1.AUS.8257.24509.UNOFFICIAL
Create hunting rule

Win.Malware.Zusy-6840460-0
Create hunting rule

SecuriteInfo.com.Atros5.BNXK.23809.4538.UNOFFICIAL
Create hunting rule

Win.Trojan.Agent-6284384-0
Create hunting rule

SecuriteInfo.com.SCGeneric1.VHR.9057.13678.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.SCGeneric1.DDX.8086.25036.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.43952860.17155.5187.UNOFFICIAL
Create hunting rule

PUA.Win.Malware.Generic-6651521-0
Create hunting rule

SecuriteInfo.com.SCGeneric_c.BQZI.88.8913.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXLR.22934.26133.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXLW.6957.18154.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYAZ.32016.26351.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYBA.26448.25415.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYBC.3480.7623.UNOFFICIAL
Create hunting rule

Win.Malware.Shadowbrokers-9813842-0
Create hunting rule

Win.Tool.Shadowbrokers-9782549-0
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYBB.20886.2780.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.SCGeneric1.DEP.4289.2668.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXLF.23008.23193.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXIL.30592.4474.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYBE.28513.5588.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXQH.2798.26400.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXII.19882.30270.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXOY.30129.22044.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXIK.19547.2787.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AYBD.26467.19803.UNOFFICIAL
Create hunting rule

Win.Malware.Shadowbrokers-9805565-0
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

SecuriteInfo.com.PUA.HackTool.AXOP.11659.17562.UNOFFICIAL
Create hunting rule

Win.Tool.Shadowbrokers-9775051-0
Create hunting rule

Win.Malware.Mikey-9785354-0
Create hunting rule

Win.Trojan.Agent-6288238-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows directory
Delayed reading of the file
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Sending a UDP request
Sending a custom TCP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
ETERNALBLUE
Create hunting rule
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/577428
Signature
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected ETERNALBLUE
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337764 Sample: WB.exe Startdate: 10/01/2021 Architecture: WINDOWS Score: 92 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 4 other signatures 2->71 9 WB.exe 65 2->9         started        process3 file4 51 C:\Windows\esp\eteb-2.dll, PE32 9->51 dropped 53 C:\Windows\esp\coli-0.dll, PE32 9->53 dropped 55 C:\Windows\esp\cnli-1.dll, PE32 9->55 dropped 57 51 other files (9 malicious) 9->57 dropped 77 Drops executables to the windows directory (C:\Windows) and starts them 9->77 13 Intarnet.exe 9->13         started        signatures5 process6 dnsIp7 59 192.168.2.100 unknown unknown 13->59 61 192.168.2.101 unknown unknown 13->61 63 98 other IPs or domains 13->63 79 Machine Learning detection for dropped file 13->79 17 cmd.exe 1 13->17         started        19 cmd.exe 1 13->19         started        signatures8 process9 process10 21 MS_17_010_Scan.exe 11 17->21         started        25 conhost.exe 17->25         started        27 MS_17_010_Scan.exe 11 19->27         started        29 conhost.exe 19->29         started        file11 35 C:\Users\user\AppData\...\unicodedata.pyd, PE32 21->35 dropped 37 C:\Users\user\AppData\Local\...\select.pyd, PE32 21->37 dropped 39 C:\Users\user\AppData\Local\...\python27.dll, PE32 21->39 dropped 47 5 other files (none is malicious) 21->47 dropped 73 Antivirus detection for dropped file 21->73 31 MS_17_010_Scan.exe 1 21->31         started        41 C:\Users\user\AppData\...\unicodedata.pyd, PE32 27->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32 27->43 dropped 45 C:\Users\user\AppData\Local\...\python27.dll, PE32 27->45 dropped 49 5 other files (none is malicious) 27->49 dropped 75 Drops executables to the windows directory (C:\Windows) and starts them 27->75 33 MS_17_010_Scan.exe 1 27->33         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0/
Threat name:
Win32.Exploit.ShadowBrokers
Create hunting rule
Status:
Malicious
First seen:
2021-01-10 06:52:00 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
078f883c1bcf8d0f9d5eb75f2dcc849564bb7e3fee851df036acb2e6870e95c1
1ec8b22f4a970d74ba70a9271499a038c9edaa54ce022b38107e0e21dbddddf0
35fb2d676947d8b7d6dcd9f1890570fb594e9a341cfb9b341c65d615e20ffdaa
52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
56133c0d017af35f49253926e3583cf72c36146ab7faa65b6058971685166652
5988de02b33b85a699c9bf68889973ab8b58a08296fa0ee3eeef4102d6ff84f2
799b7395c9f279d8cd1cd24657788ecb37db7ae03c0dddeb3344a95a551d1325
ab1ee278de2057a74b9535e9058e4c4b3bee708a3ffb89cda6be7d9e94f58f87
da8b8f45b6446e84e539e1f6244d7b03dc822cf5649e0e8602f6e32cfc41597f
fa295a599bdb572b49a1ac053a9af7f2d676ba20f0db785896dc5f43b882a44a
+ 88 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210110-4rsr781wze/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0
MD5 hash:
7afac9710e7ce1ff9b3b876702a8da03
SHA1 hash:
e76853f6742b76f94d8dd2cb4864cd265e52bf08
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
66538ba17b109effc46e8829d1c678f3f248b5f921f8bddd91af9586a8ae2222
MD5 hash:
a570e4070b4fdf403a2956ed70bfdb12
SHA1 hash:
9abaac9e856e6b500d70b8a14f9bd764bc5498b6
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
098a9c5806b3e48adbbb2b88c26945bb0c34ae016920a372a3f3beabb24f6b69
MD5 hash:
142ef9a18df1b5bf07ae049e0b6af342
SHA1 hash:
58c41fa56f3d569a91ab6a4fc2fb4905afd85240
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
d771765efc2f823397cbb6dbc24f23309145e784737b9083aa9e5f01912ed6c7
MD5 hash:
eea013b9c470658ab13e1d279eaab13d
SHA1 hash:
d53f4c25b75963d56c329fac77747f93b8dbbf12
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
2eeacd23488872abf4d7d17ce8705fd445f6537b33aa9e6768da96bf15666825
MD5 hash:
5ad9a0ab04740eb27548e6b3c108a38a
SHA1 hash:
fdca7205fc4a9adad15c9075cb2d0527fb417547
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
4ba198e7f53a37b3a825ff2ce4d3e6ca00ad96e62852f0127a46c57a9a4a3026
MD5 hash:
9b59be1fa8427368c4e0e763f578d74c
SHA1 hash:
7287fe431a0a67aa41e9952906759746ddcffad1
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
SH256 hash:
426d241e6480cecaf55a23ac686311a362548377edcfbfc920ac4cfbe3ea479c
MD5 hash:
a13020f231b588d46aaf82fe9314efdc
SHA1 hash:
fa43858266fbfa564e98fba78f7e8634659f2dfe
Link:
https://www.unpac.me/results/b28ff2d1-73ed-4655-af17-f95802ec6a8f/
Malware family:
Equation Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15de7f8defad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
FlyStudio
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 15de7f8defad6bace8c44bd3bd7725c10c0dc8336a58a7e8d92075a651fd61d0

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/111154/

Comments