MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba
SHA3-384 hash: aecb8907f4357d8c3945a842f20cdcd39025b846542368549e26c03a85231130036f69d06807adb898eb2de46f007002
SHA1 hash: c444dea3940ba897e102a0f096b64981caebb615
MD5 hash: 0ffb550e21f6e7d6365166f83d8ccb5f
humanhash: oregon-cola-pluto-louisiana
File name:0ffb550e21f6e7d6365166f83d8ccb5f.exe
Download: download sample
File size:30'720 bytes
First seen:2021-02-10 13:43:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 768:2pTqSecASxD2cX2cJAPpkCqTLbr/WfMyBJ:25ASxD12c+PGBTLbrOXBJ
Threatray 29 similar samples on MalwareBazaar
TLSH EAD2D82963EF893DD1FE5F7169B2B0854234E1032251E71E4EC8638AA713E846B233D7
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0ffb550e21f6e7d6365166f83d8ccb5f.exe
Verdict:
Malicious activity
Analysis date:
2021-02-10 13:46:57 UTC
Tags:
trojan evasion
Link:
https://app.any.run/tasks/7828add8-020d-4d10-b732-bfbf67d691d4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116559/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a process from a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Searching for the window
DNS request
Sending a custom TCP request
Launching a process
Sending an HTTP GET request
Sending a UDP request
Unauthorized injection to a recently created process
Launching a tool to kill processes
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/604564
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Drops PE files to the document folder of the user
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351318 Sample: Zy7qKW0uYZ.exe Startdate: 10/02/2021 Architecture: WINDOWS Score: 96 58 Multi AV Scanner detection for submitted file 2->58 60 Sigma detected: Drops script at startup location 2->60 62 May check the online IP address of the machine 2->62 64 2 other signatures 2->64 7 Zy7qKW0uYZ.exe 7 2->7         started        11 SystemSecurityCryptographyXCertificatesXExtensionCollectione.exe 2 2->11         started        process3 dnsIp4 32 SystemSecurityCryp...sionCollectione.exe, PE32 7->32 dropped 34 SystemSecurityCryp...exe:Zone.Identifier, ASCII 7->34 dropped 66 Drops PE files to the document folder of the user 7->66 14 SystemSecurityCryptographyXCertificatesXExtensionCollectione.exe 15 4 7->14         started        19 cmd.exe 1 7->19         started        42 utsukushikaini.ru 11->42 68 Writes to foreign memory regions 11->68 70 Allocates memory in foreign processes 11->70 72 Injects a PE file into a foreign processes 11->72 21 AddInProcess32.exe 12 11->21         started        file5 signatures6 process7 dnsIp8 44 utsukushikaini.ru 81.177.139.41, 443, 49724, 49732 RTCOMM-ASRU Russian Federation 14->44 36 SystemComponentMod...ngNewEventArgsz.url, MS 14->36 dropped 50 Multi AV Scanner detection for dropped file 14->50 52 Machine Learning detection for dropped file 14->52 54 Writes to foreign memory regions 14->54 56 Injects a PE file into a foreign processes 14->56 23 AddInProcess32.exe 12 14->23         started        26 taskkill.exe 1 19->26         started        28 conhost.exe 19->28         started        30 choice.exe 1 19->30         started        46 iplogger.org 21->46 48 2no.co 21->48 file9 signatures10 process11 dnsIp12 38 iplogger.org 88.99.66.31, 443, 49725, 49726 HETZNER-ASDE Germany 23->38 40 2no.co 23->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba/
Threat name:
ByteCode-MSIL.Trojan.Spider
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 22:25:57 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2b14c418ece19eda5bffd6234b71eb9b60eb9f07c80a3850fb7371fed92ad63f
2eb37b1a65e93d5619e44bb3734b321c97f195a6d079386194a84a5a1617c2dc
61d9f4cbc76b7889d7d17d262b63c0fd2ee40642653063b1eb6ab84397f8c57b
887084bcfd243d9c685a80c8b94ff04b56936b6a282988a2488463ba70e7d054
8e260eb76e2774843e8e79bfb5adef7a9eb06efb28161c9101a10accb475a54a
b42b33ffa4b45bc81b71f13d89dc1283b155204913aa8362e99e9aa44366bfb2
c589c3ffe9498e350a71024049e786772704a42873de61a966779d7794214183
dc6aaf7acf8b088dd2f0a3cbffd5ae7e56ed1680aeccb2ff7eecb9d56796cf68
e8234089e3729bbb6cbf5cf5deddad37b3dbe90180bc307ac8105f5f240a5b82
f1f02609df5674a0ad67ce6d2bd2f07dd7616eb2995b07f31ae431a956036ae9
+ 19 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
ransomware
Link:
https://tria.ge/reports/210210-m765rh1n5x/
Behaviour
Kills process with taskkill
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba
MD5 hash:
0ffb550e21f6e7d6365166f83d8ccb5f
SHA1 hash:
c444dea3940ba897e102a0f096b64981caebb615
Link:
https://www.unpac.me/results/560f8fa9-172e-4189-be72-f545e207af45/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 2b4672cc7cef4fa82d5d3530948969292b80b66e8b93db01c11366d01e76cbba

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/998971/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116559/

Comments