MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88
SHA3-384 hash: d984f8130cd89e33ed35ec1233905eef350ca980bdda0d0c42bb398a619ac12f704984652a01a6a1aa8fd4ae0ae33641
SHA1 hash: 16b2f3641ef3e1e94a437b1cf6ad8999eec367e7
MD5 hash: 85dfb3535a10b2c1a5688de6cc3d8240
humanhash: blossom-freddie-friend-alaska
File name:85dfb3535a10b2c1a5688de6cc3d8240.exe
Download: download sample
File size:395'776 bytes
First seen:2023-03-19 15:58:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f12d8b251be05e4edfe87a7ba231b1f4 (1 x Delf.TJJ)
ssdeep 12288:PX4fljUcdN3yWSxAQQouKSFglssknxP4My/SmfV:PEBb3QpjOF4X/Sm
Threatray 571 similar samples on MalwareBazaar
TLSH T127842328376E9C35DE111230AF7644FD57D93086D3EEEB248182444FDF76B82A8E0BA5
TrID 64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12)
25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.8% (.EXE) OS/2 Executable (generic) (2029/13)
1.8% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon b2f07cbe6e67736c (1 x MimiKatz, 1 x Gh0stRAT, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85dfb3535a10b2c1a5688de6cc3d8240.exe
Verdict:
Malicious activity
Analysis date:
2023-03-19 16:07:22 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/5e8111d2-2198-44a8-8090-4b2bde9e8217

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/375715/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Searching for synchronization primitives
DNS request
Sending an HTTP GET request
Creating a file in the Windows subdirectories
Delayed reading of the file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Sending an HTTP POST request
Creating a file in the %AppData% directory
Searching for the window
Creating a file in the %AppData% subdirectories
Query of malicious DNS domain
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/64173148da1bbe29caf90d8a/reports/2b6b73be-db36-4e3d-84e6-147c8e54918a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/69b3370e-c498-46be-bc5d-859cc8bc131c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1197166
Signature
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88/
Threat name:
Win64.Backdoor.Gulpix
Create hunting rule
Status:
Malicious
First seen:
2023-03-19 15:59:07 UTC
File Type:
PE+ (Exe)
Extracted files:
7
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmpvdwynwuysaa6yrkijqncgmt2rntb5n7xa7taf3s2n45csd2ea._file
Verdict:
unknown
Similar samples:
275e4c659edeeb5dd650b29253f72c8e95b7556e465253fabf8264d76abb2f02
59b298046b7092f498220a974fd2bc753ea6d926dfc6eaa70394d9096c2a7900
87c79d29737dca30e36aac1c90ac3eab82f71393b815a9d7c086565e257fd434
951337ef30b8c0940e630f56187954653fb03de3cbc9367e75d68d9432126fa4
ab175c1c5de8c9e9a2cbe7a9a14dac53371df20aa680f9df1cf7ca9939b60bbc
b1256289d4aaada74a40b6ca52aa0d382b7660943ea31744486007653ee925ad
d2c47b1c94e6beadbc222771e788e9dafe194c462760b0d16cd25cbc0a572a00
eee0f2f6b2524498f8287f95dd184828a044677700d61e2c0a109866f3dd504d
ef3f4616e08fa5c5fda6fd46a37b1aef3b851695a8f986d047259974389fd701
+ 561 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer upx vmprotect
Link:
https://tria.ge/reports/230319-te3l6sha96/
Behaviour
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Unexpected DNS network traffic destination
VMProtect packed file
Unpacked files
SH256 hash:
072b87fa551cbc56a9206c252e7a813c55e589f03495e3a055f2eed333f3ba75
MD5 hash:
c0867b9527b497cbfe542e289036862d
SHA1 hash:
ec04ecff8bd7c920996f90cd979e77480abecf9f
Link:
https://www.unpac.me/results/705becad-8475-4aea-8c5e-7dce5a1930d6/
SH256 hash:
2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88
MD5 hash:
85dfb3535a10b2c1a5688de6cc3d8240
SHA1 hash:
16b2f3641ef3e1e94a437b1cf6ad8999eec367e7
Link:
https://www.unpac.me/results/705becad-8475-4aea-8c5e-7dce5a1930d6/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2b1f51db0db5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2b1f51db0db5312003d88a9098344664f516cc3d6fee0fcc05dcb4de74521e88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2403434/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375715/

Comments