MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Meteorite


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8
SHA3-384 hash: 8d212aedcb771461d203e5cc6da9d0673ae8692b97618de039b04326923b74054a2b4096dbc0e6a703c22e5b65124595
SHA1 hash: 51ff8101eea8d51a6178635ed26c19678a3d8aa3
MD5 hash: c200ea136a598e37eb83c8c6031b3f29
humanhash: social-glucose-emma-kilo
File name:c200ea136a598e37eb83c8c6031b3f29.exe
Download: download sample
Signature Meteorite
Create hunting rule
File size:16'384 bytes
First seen:2023-03-29 06:11:00 UTC
Last seen:2023-09-08 11:56:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7561f617f3827674993d78a3c48f4610 (1 x RedLineStealer, 1 x Meteorite)
ssdeep 96:kEVg6r1wCCbBarsanJtRHJeZW+RElJ869X/Q+sjsTNTSEnrtDINyncI+vL/mg56D:XVZZrDRgAKErjOEnrtDINynT+vCgcNXh
TLSH T1D272400BAA934423F2014D308BD692E21BFE7C1779D37E6FEF40164914E19495AD6EF2
TrID 77.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
6.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f26272f0d861b0dc (1 x RedLineStealer, 1 x Meteorite, 1 x XRed)
Reporter abuse_ch
Tags:exe Meteorite

Intelligence

File Origin
# of uploads :
2
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c200ea136a598e37eb83c8c6031b3f29.exe
Verdict:
Malicious activity
Analysis date:
2023-03-29 06:12:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/23ba3bbd-670c-4d9e-b20e-75120bd2854d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/378370/
Detection(s):
Win.Malware.Aizczvpi-7667171-0
Create hunting rule

Win.Malware.Aizczvpi-7667173-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
DNS request
Connecting to a non-recommended domain
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed shell32.dll shell32.dll update.exe vobfus
Link:
https://www.filescan.io/uploads/6423d679688c0e6397b35a21/reports/23433a68-4cd9-4737-a575-c862cd649738/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9a6de1c1-a856-4f65-8031-d3c4c1d3f1e4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
42 / 100
Link:
https://www.joesandbox.com/analysis/1204039
Signature
Antivirus / Scanner detection for submitted sample
Found evasive API chain checking for user administrative privileges
Found potential ransomware demand text
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 836955 Sample: BEwkwcQFOA.exe Startdate: 29/03/2023 Architecture: WINDOWS Score: 42 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus / Scanner detection for submitted sample 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 2 other signatures 2->85 6 Updater.exe 17 2->6         started        10 BEwkwcQFOA.exe 1 16 2->10         started        12 Updater.exe 17 2->12         started        14 3 other processes 2->14 process3 dnsIp4 65 104.18.19.218 CLOUDFLARENETUS United States 6->65 67 104.21.89.144 CLOUDFLARENETUS United States 6->67 69 192.168.2.1 unknown unknown 6->69 47 C:\Users\user\...\electrum-4.3.4-setup.exe, PE32 6->47 dropped 49 C:\Users\user\...\electrum-4.3.4-setup[1].exe, PE32 6->49 dropped 51 C:\...\exodus-windows-x64-23.3.27[2].exe, PE32 6->51 dropped 17 electrum-4.3.4-setup.exe 16 506 6->17         started        71 8.8.8.8 GOOGLEUS United States 10->71 73 172.67.40.154 CLOUDFLARENETUS United States 10->73 53 C:\Users\...\bitcoin-22.0-win64-setup.exe, PE32+ 10->53 dropped 55 C:\Users\user\AppData\Local\...\Updater.exe, PE32 10->55 dropped 57 C:\Users\...\bitcoin-22.0-win64-setup[1].exe, PE32+ 10->57 dropped 20 bitcoin-22.0-win64-setup.exe 19 10->20         started        23 exodus-windows-x64-23.3.27.exe 10->23         started        75 104.18.18.218 CLOUDFLARENETUS United States 12->75 77 104.22.68.176 CLOUDFLARENETUS United States 12->77 59 C:\Users\...\exodus-windows-x64-23.3.27.exe, PE32 12->59 dropped 63 2 other files (none is malicious) 12->63 dropped 25 electrum-4.3.4-setup.exe 59 12->25         started        27 exodus-windows-x64-23.3.27.exe 12->27         started        61 C:\Users\user\AppData\Local\...\Update.exe, PE32 14->61 dropped 89 Multi AV Scanner detection for dropped file 14->89 file5 signatures6 process7 file8 29 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 17->31 dropped 43 166 other files (none is malicious) 17->43 dropped 33 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32+ 20->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32+ 20->35 dropped 37 C:\Users\user\AppData\Local\...\StartMenu.dll, PE32+ 20->37 dropped 45 6 other files (none is malicious) 20->45 dropped 87 Found evasive API chain checking for user administrative privileges 20->87 39 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 25->39 dropped 41 C:\Users\user\AppData\Local\...\System.dll, PE32 25->41 dropped signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8/
Threat name:
Win32.Trojan.VBObfuse
Create hunting rule
Status:
Malicious
First seen:
2023-03-28 23:56:59 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmcfjdrexs2qjichgsre2r6x7camuewfk5khrwbd2jycblvheh4a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230329-gxledsfa34/
Behaviour
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Unpacked files
SH256 hash:
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8
MD5 hash:
c200ea136a598e37eb83c8c6031b3f29
SHA1 hash:
51ff8101eea8d51a6178635ed26c19678a3d8aa3
Link:
https://www.unpac.me/results/8ba30dcc-66cc-4ef8-b5a9-990f83a2c3a0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3b04548e24bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Meteorite
Create hunting rule
Author:ditekSHen
Description:Detects Meteorite downloader
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Meteorite

Executable exe 3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2589784/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/378370/

Comments