MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
SHA3-384 hash:	80d48ad4128f2041b790fecc91765a9d67fae76f472b690730a5bd6bee922630326494c6219737f6a174fc563655c4bf
SHA1 hash:	bbec3d24ed558887531ca45d24b56e29a6145917
MD5 hash:	da01f660c41ba141802265aa0ca0f6e6
humanhash:	lamp-tennessee-high-saturn
File name:	FileOperations.dll
Download:	download sample
File size:	365'488 bytes
First seen:	2021-10-25 08:36:05 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	7f23fa45d4bfa5c8f6d0c8d93111c1c8
ssdeep	6144:JyVt6fHYx+8GOL2bS9Li0k9TY1fuMuwLspJaDsAkvAO5cSrQVKlG:6tkeYbS9L/RuMuwLocopMlVt
Threatray	95 similar samples on MalwareBazaar
TLSH	T16B746C6072DAC436D57E4AB0393CC8AE54297EA59BF2D4EB13D81D1F09738C28635F26
Reporter	AndreGironda
Tags:	dll

AndreGironda

MITRE T1566.001
Date: Mon, 25 Oct 2021 00:00-00:30 +0000 (UTC)
Received: from f79.user-online01.com (52.243.78.50)
content-type: text/html
Subject: ✅ <removed>, Pix Recebido com Sucesso- - ID:914767914767
From: BCO-CENTRAL <gerencia-central86236@f79.user-online01.com>
Message-Id: <20211025002820.F02423FB76@f79.user-online01.com>
Return-Path: root@f79.user-online01.com
Malicious URL: hXXps://res.cloudinary[.]com/dpxbbemsn/raw/upload/v1634858510/chegouseupix_d2av9g.html
Microsoft Installer Name: FORM_PIX XJTVCZG.msi
MSI SHA256: 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Unpacked DLL 1 SHA256: 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
Unpacked DLL 2 SHA256: 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b
Unpacked Executable SHA256: 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
Stage 1 URL: hXXp://ec2-18-231-149-132.sa-east-1.compute.amazonaws[.]com/mod2.zip
Stage 2 URL: hXXps://759c87514850247c.s3.us-east-2.amazonaws[.]com/0321F9132EC97FDC5EE532FF.zip
Stage 3 URL: hXXps://unterteks.eastus2.cloudapp.azure[.]com/gbuster/barman.php
Stage 4 URL: hXXps://pspentregasonline[.]com/cor/amarelo.txt
Stage 1 Zipfile Name: mod2.zip
Stage 1 Zipfile SHA256: e44b18cfc6e3ae2e161f1c5bf59716754f734a48b8cda07e42f32bc55bc07a4f
Unzipped DLL Name: rqvufRfLLN.dll
Culebra Variant DLL SHA256: 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
Unpacked Culebra Variant DLL SHA256: e6bf7bc4b7f5235a307f5253ef3595d8aa50fefcfdb141d0e75c108676a584cd
C2: 20.206.126.228:55516