MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a
SHA3-384 hash: e0b5a435a4abd0621622aad15575d880cbf3f112f2baf31b91b1d9a5ee260d66aed1060e62e31e21276083e8b89d78a0
SHA1 hash: 32161cc99e50856f0100fdcefc3ae223321feaca
MD5 hash: 03aad8d88f3b963118e539eb4d895b03
humanhash: five-monkey-eleven-east
File name:SecuriteInfo.com.Trojan.Siggen29.22745.19833.25110
Download: download sample
File size:2'175'488 bytes
First seen:2024-08-20 14:24:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ecda7b270878b3805af38b123c6505e
ssdeep 49152:gN+ULR1moocAcV+5iv6t04xBi0+0hopKmfP4KFF6RThKAxVDG2A8946oNZ:MkXDwwB/VDKN
TLSH T110A56B2B51A565DAE3E6C07CE51B5792BC3132494E39A3BB24BAC391333091C9B6D373
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
335
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a
Verdict:
Malicious activity
Analysis date:
2024-08-16 01:15:11 UTC
Tags:
stealer xor-url generic deerstealer
Link:
https://app.any.run/tasks/d4aa67c9-6572-49c0-b28c-4ab763cf19d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Siggen29.22745.19833.25110.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66c4a74ae7ff3f5a063ba1fd
Tags:
Stealth Variant
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/66c4a740150fbf4bd6062bd0/reports/9c66c463-d1f7-4dd8-9641-a6800eadccd5/overview
Verdict:
Malicious
Labled as:
Ulise.Generic
Link:
https://www.hybrid-analysis.com/sample/1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07b5cf3c-e72b-4689-a7aa-41efd50663c2
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1495841
Signature
AI detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a/
Threat name:
Win64.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-11 21:09:23 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=do7rz7uh52bovaays7qzz3h76bc7yzszsndgedav2fh64nupp2na._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240820-rq9ths1arq/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1be74158-6923-4aa9-a79b-3c35de31b4e4
Unpacked files
SH256 hash:
1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a
MD5 hash:
03aad8d88f3b963118e539eb4d895b03
SHA1 hash:
32161cc99e50856f0100fdcefc3ae223321feaca
Link:
https://www.unpac.me/results/1cb4a070-a057-44cb-9277-35f3c7561972/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1bbf1cfe87ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1bbf1cfe87ee82ea801897e19cecfff045fc66599346620c15d14fee368f7e9a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3117367/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryMultipleValuesA
ADVAPI32.dll::RegQueryValueA

Comments