MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4
SHA3-384 hash: d7289856fbca29c809eec671b5361ea51d60083718b7a07517df7daff1c5166d6d5a3b22075c929076cf7c96952aac4a
SHA1 hash: 760f36ab9cdb2cba9db76f8e392da6bc0ed5bd5b
MD5 hash: 0dad0861840cb73b4cefce3dcce28fa5
humanhash: burger-oxygen-uncle-uncle
File name:0dad0861840cb73b4cefce3dcce28fa5
Download: download sample
File size:3'138'684 bytes
First seen:2021-08-17 14:07:27 UTC
Last seen:2021-08-17 16:52:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:3P+LLajA0Rtg0xD9enMqcKAEVcnidEl4ZquTONy1kH6oVVvkof5XMdXpqzHZa:3Guzg0VYXPVRKl4ZqpvVVvhfGFpe5a
Threatray 826 similar samples on MalwareBazaar
TLSH T179E5336301CDBDAAE1B4CD3833A39BC3D959CD266877A71A91E9707599BC34B31812CC
dhash icon 414555c0d4d44503 (15 x njrat, 14 x BlackNET, 8 x Lucifer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4
Verdict:
No threats detected
Analysis date:
2021-08-16 23:16:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5680dd62-cda1-4fdf-aee1-044cb015fd3f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180076/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.2209.14462.24526.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
DNS request
Connection attempt
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Deleting a recently created file
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Forced shutdown of a browser
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Gomorrah
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54f76362-d468-4220-9723-f23f41e2e1c3
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834450
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 466917 Sample: d5gkEKp8aT Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 4 other signatures 2->41 6 d5gkEKp8aT.exe 16 63 2->6         started        11 c5e504606bceb80648bcecb9e1bfe1ee.exe 3 2->11         started        13 c5e504606bceb80648bcecb9e1bfe1ee.exe 2 2->13         started        process3 dnsIp4 23 tospititouaromatos.shop 157.90.210.32, 49705, 49714, 49715 REDIRISRedIRISAutonomousSystemES United States 6->23 25 192.168.2.1 unknown unknown 6->25 19 C:\...\c5e504606bceb80648bcecb9e1bfe1ee.exe, PE32 6->19 dropped 21 C:\Users\user\AppData\Local\Temp\bin.exe, PE32 6->21 dropped 43 Query firmware table information (likely to detect VMs) 6->43 45 Tries to harvest and steal browser information (history, passwords, etc) 6->45 47 Hides threads from debuggers 6->47 15 bin.exe 14 3 6->15         started        49 Antivirus detection for dropped file 11->49 51 Multi AV Scanner detection for dropped file 11->51 53 Detected unpacking (changes PE section rights) 11->53 57 2 other signatures 11->57 55 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->55 file5 signatures6 process7 dnsIp8 27 tospititouaromatos.shop 15->27 29 Antivirus detection for dropped file 15->29 31 Multi AV Scanner detection for dropped file 15->31 33 Machine Learning detection for dropped file 15->33 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-16 14:16:08 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0c73474ceb5c96ff4c0231b9d542d65c1d78b82de926bbfd4413d81684d78e58
25c212b01aed427cbe5c5e0f06e5edd0188f881551347aa20804b3da88da2af2
6a0d05477e23fc1152067fc51d50a044bccf0e0a0654dbae1864df792400e935
8c373102d98ba3188c4361deee0bd43f89e4e8785b613a7af99bddd45329303d
96007574b1db5f00dc9b2bde62fc0368296798a33d4e82453a9eabcdc4781187
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
f83b0cd39202e7040eae66dac5444eff5f9d878e3bb778613f1525aba2e3c5de
+ 816 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence suricata themida trojan
Link:
https://tria.ge/reports/210817-7a322hyzyn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
suricata: ET MALWARE MegalodonHTTP/LuciferHTTP Client Action
Unpacked files
SH256 hash:
5fb6d78a005855a735c538d79004ccaf042622431fdba5047539f1a6e05f704e
MD5 hash:
a31b2af1ec483b292571ee5ae2a7f1e4
SHA1 hash:
38103d01af73ca2a94c571cd442704fd2bbeb6ec
Link:
https://www.unpac.me/results/79b6a24f-74db-43a4-9f19-e7df81c105cf/
SH256 hash:
4fc65264914c337aac2add5c9de20155b5ce5bc8d1719c4a82bc534d2a5b311c
MD5 hash:
e03f75e48f573df6330328a689efc20b
SHA1 hash:
bc7196ee121fe0971d323bd5ac3aa945de0ed8fe
Link:
https://www.unpac.me/results/79b6a24f-74db-43a4-9f19-e7df81c105cf/
SH256 hash:
dcb842f5e0da9d486cad34d4b809dcaadf9ec4d6991fdb22bdc9aea66489ad1a
MD5 hash:
c02a029c978f13b753c6b578b1588c75
SHA1 hash:
e125d59451e7f467bfd329a00a506decbcd91d83
Link:
https://www.unpac.me/results/79b6a24f-74db-43a4-9f19-e7df81c105cf/
SH256 hash:
37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4
MD5 hash:
0dad0861840cb73b4cefce3dcce28fa5
SHA1 hash:
760f36ab9cdb2cba9db76f8e392da6bc0ed5bd5b
Link:
https://www.unpac.me/results/79b6a24f-74db-43a4-9f19-e7df81c105cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Andromeda_MalBot_Jun_1A
Create hunting rule
Author:Florian Roth
Description:Detects a malicious Worm Andromeda / RETADUP
Reference:http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_SandboxProductID
Create hunting rule
Author:ditekSHen
Description:Detects binaries and memory artifcats referencing sandbox product IDs
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 37882a4a0aaf84e2f3c063de493fedbf2233c31c7bd146c79059dd1ae914e2f4

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1541803/
Cape
Cape
https://www.capesandbox.com/analysis/180076/
  
URLhaus
https://urlhaus.abuse.ch/url/1542449/

Comments


Avatar
zbet commented on 2021-08-17 14:07:27 UTC

url : hxxp://a.ninis.us/d/oy.exe