MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe
SHA3-384 hash: f674c779fd31692df7a668869c930ebaf5a3029b6993e29e4715b37c170c99c14f1b005a6359523a0165c1521ff3cfc9
SHA1 hash: 25e59012b840e6c136c3ca23acb1eeff485eb62b
MD5 hash: e954fbf0f27d868ee7354817ba0c65d1
humanhash: spring-nitrogen-fix-fifteen
File name:zlibai.dll
Download: download sample
Signature Ousaban
Create hunting rule
File size:14'278'656 bytes
First seen:2022-04-21 07:42:35 UTC
Last seen:2022-04-21 09:05:49 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash ecbcff8f092e88abad9a2b65e110319b (2 x Ousaban)
ssdeep 393216:101BJounBChFm05j8sSNylDnDPj2I/oHVG:crBChFm0HSIlTDtoHV
Threatray 868 similar samples on MalwareBazaar
TLSH T12AE6333331A31080D2FAC87D8937BFD775F6026D8661587DF5E6EADB2495AE0D602883
TrID 33.2% (.EXE) Win32 Executable (generic) (4505/5/1)
22.1% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
14.9% (.EXE) OS/2 Executable (generic) (2029/13)
14.7% (.EXE) Generic Win/DOS Executable (2002/3)
14.7% (.EXE) DOS Executable Generic (2000/1)
Reporter JAMESWT_WT
Tags:banker brazil dll ousaban spy

Intelligence

File Origin
# of uploads :
2
# of downloads :
239
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Win32.Mekoban.7c.28096.23611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Сreating synchronization primitives
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62610b0effe27d511920f76e/reports/f94de8aa-497b-4162-9410-a53ecc61f38d/overview
Result
Verdict:
MALICIOUS
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5b74eac-f80d-4499-ab44-c0e8d951e4d7
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/980460
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sigma detected: Suspicious Call by Ordinal
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612947 Sample: zlibai.dll Startdate: 21/04/2022 Architecture: WINDOWS Score: 72 32 Multi AV Scanner detection for submitted file 2->32 34 Machine Learning detection for sample 2->34 36 PE file contains section with special chars 2->36 38 Sigma detected: Suspicious Call by Ordinal 2->38 8 loaddll32.exe 1 2->8         started        process3 signatures4 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->42 44 Overwrites code with function prologues 8->44 46 Tries to detect virtualization through RDTSC time measurements 8->46 11 rundll32.exe 8->11         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        18 6 other processes 8->18 process5 signatures6 48 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->48 50 Tries to detect virtualization through RDTSC time measurements 11->50 20 WerFault.exe 6 9 11->20         started        52 Overwrites code with function prologues 14->52 22 rundll32.exe 18->22         started        25 WerFault.exe 9 18->25         started        process7 dnsIp8 40 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->40 28 WerFault.exe 19 9 22->28         started        30 192.168.2.1 unknown unknown 25->30 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe/
Threat name:
Win32.Infostealer.Mekoban
Create hunting rule
Status:
Malicious
First seen:
2022-04-20 14:45:06 UTC
File Type:
PE (Dll)
AV detection:
21 of 41 (51.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hbd4aopmr52ueqqbamxsrc4g26mcftm4te7jxh2rxuxzatxnjx7a._file
Verdict:
malicious
Similar samples:
70c64a3f46820c47b44e30d3925165340735c7ce62ad124268820335ecc808be
Ousaban
977c68b28f92df1f9cb32d67323dc5c13ee2da192f8007dbf893338529bd88e2
Ousaban
a9eb984c9de2d2d061babaaec8c15a04895af2cc0653d044f7092ba73013da5b
Ousaban
aea2cbc32b7925ab28e619b8deb5c540ea8e61ad631b02e348be04b87f44627a
Ousaban
ba1d27e1521b29f5fabc05094b177131f356588ce26b2e5336910df2bd1cc919
Ousaban
d6c6604e4081f2de1edb2ce716ddcc8186f252ca1babc641b83e77fdf14fca7b
Ousaban
+ 858 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220421-jj9k6sdgb2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe
MD5 hash:
e954fbf0f27d868ee7354817ba0c65d1
SHA1 hash:
25e59012b840e6c136c3ca23acb1eeff485eb62b
Link:
https://www.unpac.me/results/2cffdf1e-956c-4c23-81b4-1705b6dc3643/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3847c039ec8f75424201032f288b86d79822cd9c993e9b9f51bd2f904eed4dfe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments