MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4
SHA3-384 hash: 4ac3a682b78d34016f061e13226d36586512188fb094e6e58d47a754d876af1d473093fffd9753964c7a157de3dd5053
SHA1 hash: e23d75c3c9dff1d6d3e861fd58373685188e5a1e
MD5 hash: 0430047d09dd17f3e04dd6a39bca2c3c
humanhash: double-july-bluebird-alanine
File name:1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4.bin
Download: download sample
File size:270'336 bytes
First seen:2023-03-06 10:57:01 UTC
Last seen:2023-03-06 12:56:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 39b818e7bac0a276f509f8c47e467666
ssdeep 3072:CPluUBE5mz4rAhtGj/m+DeY01h4xUX2K0mE8zmEG5VkKS+eVbD1UqzmudlTuL:XW+DWNTlBKEG5VMZ1Uqhu
Threatray 54 similar samples on MalwareBazaar
TLSH T1C9444B27E35298BDC557C170C6ABD332B462F8561330AA2F1794CF362E34D6096BFA64
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Arkbird_SOLG
Tags:apt BlueBravo exe graphicalneutrino NOBELIUM

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4.bin
Verdict:
Malicious activity
Analysis date:
2023-03-06 10:58:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b7ca9174-b477-4c51-b320-27b9e20e9579

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371915/
Detection(s):
SecuriteInfo.com.Variant.Tedy.233266.27781.18337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
anti-debug greyware shell32.dll
Link:
https://www.filescan.io/uploads/6405c70047dff094b528823c/reports/144acd30-6ee0-4c5c-9dd1-a67b7506cac8/overview
Verdict:
Malicious
Labled as:
Tedy.Generic
Link:
https://www.hybrid-analysis.com/sample/1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4
Malware family:
NOBELIUM
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed02cbc8-1fe5-4fa9-8ef0-56b12a323ff4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1188198
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821077 Sample: EkCiTxGSVu.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 64 34 Antivirus / Scanner detection for submitted sample 2->34 36 Multi AV Scanner detection for submitted file 2->36 7 loaddll64.exe 13 2->7         started        process3 dnsIp4 28 api.notion.com 7->28 30 192.168.2.1 unknown unknown 7->30 10 cmd.exe 1 7->10         started        12 rundll32.exe 12 7->12         started        16 conhost.exe 7->16         started        18 rundll32.exe 7->18         started        process5 dnsIp6 20 rundll32.exe 12 10->20         started        32 api.notion.com 172.64.145.157 CLOUDFLARENETUS United States 12->32 40 System process connects to network (likely due to code injection or exploit) 12->40 signatures7 process8 dnsIp9 24 104.18.42.99 CLOUDFLARENETUS United States 20->24 26 api.notion.com 20->26 38 System process connects to network (likely due to code injection or exploit) 20->38 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4/
Threat name:
Win64.Trojan.Malagent
Create hunting rule
Status:
Malicious
First seen:
2022-11-02 12:23:03 UTC
File Type:
PE+ (Dll)
AV detection:
25 of 39 (64.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dt726o7hexivctehymumuv4nlxy2q3vdwseoswdptw4j3gjnuxca._file
Verdict:
malicious
Similar samples:
0b98bff25ebce8053e2c39214b3622b8d8666ae416afb52c5842312f27a6914f
14d3276ca733ff2efebeb3208f7e233da4df8735514c216e5fa52a83e9110f8b
1930bd3a3a2f286f2d8a2920609e145d1fffc2bddebaf1b526a96527a92cf73a
5d6f1484f6571282790d64821429eeeadee71ba6b6d566088f58370634d2c579
612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15
8bdd318996fb3a947d10042f85b6c6ed29547e1d6ebdc177d5d85fa26859e1ca
95bbd494cecc25a422fa35912ec2365f3200d5a18ea4bfad5566432eb0834f9f
c1b30ac4731197caf0ee49c76a9df568d53b630423f8a667417cad42b18d576b
c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
e8e2c3c6d6db55f6c80fbf0b272933428bc5fe62a52732bf6c38aefe40894f88
+ 44 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230306-m19jaabh83/
Behaviour
Blocklisted process makes network request
Unpacked files
SH256 hash:
1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4
MD5 hash:
0430047d09dd17f3e04dd6a39bca2c3c
SHA1 hash:
e23d75c3c9dff1d6d3e861fd58373685188e5a1e
Link:
https://www.unpac.me/results/d18c3d32-bb04-4f9c-8f3d-7fdee788e3f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cffaf3be725d1514c87c328ca578d5df1a86ea3b488e9586f9db89d992da5c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf
Cape
Cape
https://www.capesandbox.com/analysis/371915/

Comments