MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326
SHA3-384 hash: 73d52665f444497e59c744a48ae736831f28fa123bcfcd34e16ad703e952513e3fb35dcb5ce2e52a762ed7a437d9349a
SHA1 hash: abf12814aa5c4fd746e3b5a9635667a2c5ac0604
MD5 hash: f18a8734fe5484be1f784dd47178d6c6
humanhash: single-dakota-london-tango
File name:f18a8734fe5484be1f784dd47178d6c6.exe
Download: download sample
File size:1'822'818 bytes
First seen:2022-10-24 12:21:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 49152:H6VUMI6hKcPoV8bZLL9uj5a/Nxg+i/qA3gv:H688lLcj5Yg7/qegv
Threatray 1'897 similar samples on MalwareBazaar
TLSH T16B852382B9D08072D6763938A4F69730653DBC211F798ECB63943A1E5E341C2EA36777
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
178
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f18a8734fe5484be1f784dd47178d6c6.exe
Verdict:
Malicious activity
Analysis date:
2022-10-24 12:27:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/04800ca6-4853-4b21-9f7b-e9a22e89355a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/323381/
Detection(s):
SecuriteInfo.com.Gen.Trojan.Olock.1.7103.31161.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8ae27a4c-91fb-4e14-bf6a-10e382d93ce5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1096498
Signature
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729140 Sample: Ct9Q6Cje57.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 72 15 Antivirus detection for dropped file 2->15 17 Multi AV Scanner detection for dropped file 2->17 19 Multi AV Scanner detection for submitted file 2->19 21 2 other signatures 2->21 6 Ct9Q6Cje57.exe 8 2->6         started        process3 file4 13 C:\Users\user\AppData\Local\Temp\aWI8.K, PE32 6->13 dropped 9 msiexec.exe 6->9         started        11 conhost.exe 6->11         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-10-24 11:25:52 UTC
File Type:
PE (Exe)
Extracted files:
88
AV detection:
26 of 42 (61.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dmj5axfobzhkygg3v77ajiryeogwylbl4kc5qjlrft567ejucmta._file
Verdict:
malicious
Similar samples:
12c65e9b2189c8853552288feac6470dcc8ffe458f33c43d95146a420045c7ac
2493acac8d8cae5687f709d86a041a2d3b4389b3952a96f1a3bbd12921b8a7f1
384b35bfb6d07dda3ea948bb9aa47a3024822ff40d21a13932381d6386643acc
913f62676d29a2368f9f6f97a3adc623ede915b58812e05aba24a1b0177697d4
9daf087ef991160871f07d75d1577eccd34d926e1bd5d30cc30516fdcbd84b45
abc845a1bcb5a82c786c55f8f778cef56bcfb4e66eec07172c14fb4cf78dcfcc
d8a12da66c3b95e1f2dc9c7e5667a5baf7dbdbbaff01f342222dc696c07455fa
eddbfe52ba633950c388e0303d5a04453f9ba9e3a3cdc60f9a1355707cd209e6
fb68afd0254bcaad62a35fe249e9bbcbd10697e900473676576c7fd6c859a293
+ 1'887 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221024-pjxjhagfdj/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
bf3b58bd543696821fc1f2b241b23444e527409a016b0ed25e18ed317d1fc678
MD5 hash:
e517de126760b5134b29658c0ab1b84e
SHA1 hash:
c75ec5ec5a737805305a473793ea084f33d72504
Link:
https://www.unpac.me/results/2f098a2d-aecf-4908-aae4-33a59a36caba/
SH256 hash:
9aa4d222fdef42568ceac38089c1eeb0a0de976410f5d8124dcb104e6c14b0c3
MD5 hash:
06e839d4f6460c144122ecc2b685e88d
SHA1 hash:
59b2dcaebb573ca304e3c043a6d292e418d86c2d
Link:
https://www.unpac.me/results/2f098a2d-aecf-4908-aae4-33a59a36caba/
SH256 hash:
1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326
MD5 hash:
f18a8734fe5484be1f784dd47178d6c6
SHA1 hash:
abf12814aa5c4fd746e3b5a9635667a2c5ac0604
Link:
https://www.unpac.me/results/2f098a2d-aecf-4908-aae4-33a59a36caba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1b13d05cae0e4eac18dbaffe04a238238d6c2c2be285d825712cfbef91341326

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2382181/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/323381/

Comments