MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499
SHA3-384 hash: 2ffa89ad74c1bf0444127e1d811e583df167a21952b5cfb41f09869a7473b0872001ceb89e15b516e9bab64a3eaed011
SHA1 hash: 9b07f6c9d0a342f4a1091b29dbc22055ad1b7d70
MD5 hash: 780190f24c3ec8795f9a29fe933ea268
humanhash: nebraska-beryllium-maryland-xray
File name:780190f24c3ec8795f9a29fe933ea268
Download: download sample
File size:186'268 bytes
First seen:2022-04-22 18:11:55 UTC
Last seen:2022-04-22 18:30:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 588ca9f8c5244db23a68165b188e927a
ssdeep 3072:py0Wai62pPHynsb5VmZHoGJskQCDGZ3E5x/KtNdwKA/nOea6xfwWBHUWq+9yN86v:Y0DgpPHVWoGCNotx/Kt3wKmOea6fBHUb
Threatray 1'653 similar samples on MalwareBazaar
TLSH T11D048ED076D85CD7EA449B7940D7A221333DBBE0D7538B13A65066320E13BD2AEC7B26
TrID 51.8% (.EXE) UPX compressed Win64 Executable (70117/5/12)
19.9% (.EXE) UPX compressed Win32 Executable (27066/9/6)
12.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
7.7% (.EXE) Win64 Executable (generic) (10523/12/4)
3.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265917/
Detection(s):
SecuriteInfo.com.ML.PE-A.13489.11802.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process from a recently created file
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug overlay packed spyeye trickbot
Link:
https://www.filescan.io/uploads/6262eff414dc6ebc1c838837/reports/e6e4b9f4-80d7-424e-96e9-8c805e7f26c4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4ffeb707-a026-44cf-9138-c6a592367695
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/981615
Signature
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 614098 Sample: lbmQKPk83Y Startdate: 22/04/2022 Architecture: WINDOWS Score: 60 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Multi AV Scanner detection for submitted file 2->28 7 lbmQKPk83Y.exe 15 2->7         started        process3 dnsIp4 24 159.89.116.42, 49721, 80 DIGITALOCEAN-ASNUS United States 7->24 20 C:\Users\user\Desktop\44428.exe, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\44428[1].exe, PE32 7->22 dropped 30 Found API chain indicative of debugger detection 7->30 12 cmd.exe 1 7->12         started        14 conhost.exe 7->14         started        16 cmd.exe 1 7->16         started        file5 signatures6 process7 process8 18 44428.exe 1 12->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499/
Threat name:
Win64.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 18:12:07 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
042271aadf2191749876fc99997d0e6bdd3b89159e7ab8cd11a9f13ae65fa6b1
230afb5144866520a2f26c52c986d5652f36a4237fef75de56225017917414d4
26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da
41a0c85fe2ebc2e7849b3acfa57b834c9c953ab515512cf254bbab2a28bdcec9
4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e
5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95
8eeb37060519ca06889e09113bb423bfbe8c2e16c93fa5b75d82397f8cf58012
adf8e5128003e712d0e1e7d0b3833864971711c03c8099bfcf369ab6764d5415
babf526ebe596643961a64b67dea3846f45355f4852f560046f06b633141b2a3
cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62
+ 1'643 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/220422-ws6bbsbban/
Behaviour
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro EXE DL AlphaNumL
Unpacked files
SH256 hash:
1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499
MD5 hash:
780190f24c3ec8795f9a29fe933ea268
SHA1 hash:
9b07f6c9d0a342f4a1091b29dbc22055ad1b7d70
Link:
https://www.unpac.me/results/04f81ccf-5d87-401e-bef8-8f5ff97c5c0f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2160357/
Cape
Cape
https://www.capesandbox.com/analysis/265917/

Comments


Avatar
zbet commented on 2022-04-22 18:12:07 UTC

url : hxxp://159.89.116.42/exam/59546.exe