MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90
SHA3-384 hash: 34ca15c971f73f3bbce081b9f849db13803b21c4b8056eb5e5964f339b78c30854d215725bf89d4e746a51598f634f38
SHA1 hash: 53877beffde87984d4f86b5acdef06aed3436e11
MD5 hash: c9f0498b9924abfabac356ec063dcab0
humanhash: pasta-grey-social-friend
File name:FACTURE_27889 pdf.exe
Download: download sample
File size:10'433'369 bytes
First seen:2022-06-22 07:00:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0bbecc8e9f9f17b0ea9cc3899b15e5cf (1 x RedLineStealer, 1 x CortaBot, 1 x CobaltStrike)
ssdeep 196608:4ggYpOQmzLZDGXTICteEroxzlxZV3Gu5D4S267ygEGPt2CS39j8kgtKmT5PfY:uYcQcuInErot14S2D7qcqom1fY
Threatray 20 similar samples on MalwareBazaar
TLSH T169B63349F7AA0C9EE917433A98A0F612C4B37825076CE52F1ED9782E9D773E12DB1704
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 30f8d0c8c8c0e030 (1 x RedLineStealer, 1 x CoinMiner, 1 x QuasarRAT)
Reporter JAMESWT_WT
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURE_27889 pdf.exe
Verdict:
Malicious activity
Analysis date:
2022-06-22 07:00:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bc3138a4-6cd7-4638-9737-53afc2303341

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282210/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/62b2be7478c728351889ab47/reports/de69f425-a59d-44ef-97ff-762a108bed36/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/51ce7920-e179-4e6a-821f-8b8d2ebf79b1
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
7 / 100
Link:
https://www.joesandbox.com/analysis/1017692
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hmdcomj4bsdtd4fxeuf24q76fx2xxwfql4dac4rc32hn3eosfsia._file
Verdict:
unknown
Similar samples:
04a31ae8a31bb4144d7392040442f4a38e8301cc550124cc47d012a0eba71bdd
0df6eca30071051714c4d1b5bd16e11feb7a76ab208c907771d0dd470d91ab07
329d77b0ab5af0e568b9d56e3c3f7afc4266bf2cea0bd816ed4e67d4c9a09692
414d8e74cdb96fe1e8742018494be41cdebd5c11804a30a7876a5bcd7bf01764
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
5a84910606ad80acd72e15856c704e0a044f93d46df482d5629d4cc2c55d546b
6e86ad43d7677a7d9a81ac9dd17df97703dfb49ee4456601b4fa2edd518ce0e5
80f4e41827dfe57bd2217eabe487099a2912be536fe4b0aef95b4bbb215c8a2a
a07afb3f48c05bc311adc6a9473310e6b35e14f14920e543ee8ca032a0af637f
+ 10 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/220622-hs782acec7/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90
MD5 hash:
c9f0498b9924abfabac356ec063dcab0
SHA1 hash:
53877beffde87984d4f86b5acdef06aed3436e11
Link:
https://www.unpac.me/results/ae025241-35a0-4b3b-a26c-5c842747f2c8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b0627313c0c8731f0b7250bae43fe2df57bd8b05f06017222de8edd91d22c90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/282210/

Comments