MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e
SHA3-384 hash:	615a493714cecc44f475f2d11d1ccaf183d61c54d2b4d9c65d37b543d5a913bebbf470c9a068ff3ed66bf93d6e51c9b8
SHA1 hash:	7f429010a3006e9b39255d0e152a5c07f050d051
MD5 hash:	eb437902ca11790f80408c93b9a9f527
humanhash:	romeo-zebra-golf-kentucky
File name:	2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e
Download:	download sample
File size:	2'182'880 bytes
First seen:	2021-03-29 07:09:05 UTC
Last seen:	2021-03-29 07:48:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ba4cc0afb12afe0a3f885ae6696404ed (1 x ArkeiStealer)
ssdeep	24576:7IZg+uinrPO37fzH4A6haDzcUZEIdT9TagtzCNYqtyxlQB6vxJcMw5GlHD:7g/rPO37fzH4A6hanqNu+BX5UD
Threatray	583 similar samples on MalwareBazaar
TLSH	4CA5D032F2A08833D1732E74AD5792955936FD103E38A8A777F92F4C4E356817A272D2
Reporter	JAMESWT_WT
Tags:	LTD SERVICES LIMITED signed

Code Signing Certificate

Organisation:	LTD SERVICES LIMITED
Issuer:	Sectigo RSA Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-03-18T00:00:00Z
Valid to:	2022-03-18T23:59:59Z
Serial number:	7d36cbb64bc9add17ba71737d3ecceca
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	05be3171ca7272803d139ca13b16c24a3dd22917b1b8d6d0fd5401e63a79dd27
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e

Verdict:

Malicious activity

Analysis date:

2021-03-29 07:17:48 UTC

Tags:

installer

Link:

https://app.any.run/tasks/5061ab89-ca71-4026-bb74-2a04c1b77b68

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/127479/

Detection(s):

PUA.Win.Packer.PrivateEXEProtector4-6192998-2

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Forced shutdown of a system process

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0fb43cac-8f3e-45dc-ad57-8e6e09646394

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/656509

Signature

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file has nameless sections

System process connects to network (likely due to code injection or exploit)

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e/

Threat name:

Win32.Trojan.GenCBL

Status:

Malicious

First seen:

2021-03-26 23:56:11 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Verdict:

unknown

291fb9999009b5cb5e1ce39a6c58472291cdaaaeeea56beb6a4d0b7925574dca

3d3095586bf72d6b631e44681654c68707a6f07987b02e367e7d88ac9ddab77c

411e56b415d4c23a741958c3f1ada72b3e958c078d27c339678bb690b7a895c3

4dd51b22d5ee046670f8b082ff67450740dd0825f0f544e243313fe07f8400bd

7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9

8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6

aa9692c1769e25297176b847f4274570c56c4d74f4577608bd036e72d82d5bdb

d0b2bc00645de803a4e9df303539995ee8f781631684b04fe67ee7e01bcf9c21

e3670bfc1db6fb7223bb6b231ef4c3afd9d34de1d8f87b7a8e7a4cb27cfaa37d

+ 573 additional samples on MalwareBazaar

Result

Malware family:

cryptbot

Score:

10/10

Tags:

family:cryptbot discovery persistence spyware stealer upx

Link:

https://tria.ge/reports/210329-lplfay3ql2/

Behaviour

Checks processor information in registry

Delays execution with timeout.exe

Modifies registry class

Modifies system certificate store

Runs ping.exe

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Executes dropped EXE

UPX packed file

CryptBot

Unpacked files

SH256 hash:

7b0b8db231d411d10f45ed54779fcfa8f3e442e04a31733ee2598b0dd3f63229

MD5 hash:

e769e747bb0fb0c1893e27af747094df

SHA1 hash:

af49f0054f201ba4a4b2d010d661e3d1f78e2a72

Link:

https://www.unpac.me/results/67c36f63-5a96-4065-90ef-62e76fbc212a/

SH256 hash:

2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e

MD5 hash:

eb437902ca11790f80408c93b9a9f527

SHA1 hash:

7f429010a3006e9b39255d0e152a5c07f050d051

Link:

https://www.unpac.me/results/67c36f63-5a96-4065-90ef-62e76fbc212a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gamarue

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127479/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample