MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
SHA3-384 hash: fba3cc45d7221c6b37929e39221ace86d6893bbf434a44dc02592631d5dbd281f8a9039f75945b5d019c8c417825391b
SHA1 hash: 9a7dc5a26040dc775c1b3854e6909dfd0adf84fc
MD5 hash: 56610cbdb784a4f8517c5de4ff92d85e
humanhash: robert-ten-ceiling-utah
File name:56610cbdb784a4f8517c5de4ff92d85e.exe
Download: download sample
File size:357'376 bytes
First seen:2022-01-14 09:13:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 6144:b5aWbksiNTBcMOxjwIPHtnAA8R0O+eNpEj9JE/emtUfMtK+e:b5atNTKpxkIPNnT8f+WEj9JETmUKP
Threatray 93 similar samples on MalwareBazaar
TLSH T145740181F7E642F7EAF2043101D1622F9B3897388B24D9EBD34C2D5399436E596393E9
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
56610cbdb784a4f8517c5de4ff92d85e.exe
Verdict:
Malicious activity
Analysis date:
2022-01-14 09:17:47 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/607a4055-d190-4f0c-8cf7-fbea3c820c49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219263/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.41903412.23037.4057.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Creating a window
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Forced system process termination
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4171/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/61e13ea4e997359713eb5fdc/reports/6ec1ba00-2fa7-4b5d-8bfa-587b1c300ba2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/5310c755-6099-452f-b722-aad80793d647
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/920622
Signature
Command shell drops VBS files
Creates HTML files with .exe extension (expired dropper behavior)
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Uses BatToExe to download additional code
Yara detected BatToExe compiled binary
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553101 Sample: sT4cF8rUxp.exe Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for submitted file 2->40 42 Machine Learning detection for sample 2->42 44 Sigma detected: WScript or CScript Dropper 2->44 46 2 other signatures 2->46 7 sT4cF8rUxp.exe 10 2->7         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\...\extd.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\Temp\...\1C46.bat, ASCII 7->30 dropped 56 Potential malicious VBS script found (suspicious strings) 7->56 11 cmd.exe 3 6 7->11         started        16 conhost.exe 7->16         started        signatures5 process6 dnsIp7 38 192.168.2.1 unknown unknown 11->38 32 C:\Users\user\AppData\Local\Temp\...\123.vbs, ASCII 11->32 dropped 58 Potential malicious VBS script found (suspicious strings) 11->58 60 Command shell drops VBS files 11->60 62 Uses BatToExe to download additional code 11->62 18 wscript.exe 11->18         started        22 extd.exe 1 11->22         started        24 extd.exe 2 11->24         started        26 3 other processes 11->26 file8 signatures9 process10 dnsIp11 34 iplogger.org 148.251.234.83, 443, 49766 HETZNER-ASDE Germany 18->34 48 System process connects to network (likely due to code injection or exploit) 18->48 50 May check the online IP address of the machine 18->50 52 Multi AV Scanner detection for dropped file 22->52 54 Creates HTML files with .exe extension (expired dropper behavior) 22->54 36 a0621298.xsph.ru 141.8.194.74, 49767, 49768, 49769 SPRINTHOSTRU Russian Federation 24->36 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4/
Threat name:
Win32.Spyware.Doris
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 09:13:13 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
14 of 43 (32.56%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
0cc7d034e9b01b5f02d0843e62c5ce0c79dc380fc3c126be71c8ad31ab8acad6
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
534b9bc8809ae37a2beada5b9d868bda1c17c32be812ec3b30de2ad2382014a0
6fc704900ddda4e22fd10ae2bf066c403a2567ce830d1b8fe7721231414382b7
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
83b1180e8794a4d719586d4f5fe237b37167ef93c186d3c0976a70d39541c72f
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
+ 83 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/220114-k6q8safefn/
Behaviour
Modifies registry class
Script User-Agent
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
255f2a205280c5498e592bd2a4e9aba4ed941cbefb0058a6456942d48a8d76f4
MD5 hash:
284dbf2927b9ac1d6d62290729bf9076
SHA1 hash:
6fe47b05ddb3d15375541bac7c5819c5e23dfbd1
Link:
https://www.unpac.me/results/dadf96aa-75ff-44d7-ade4-e9fa194db37d/
SH256 hash:
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
MD5 hash:
56610cbdb784a4f8517c5de4ff92d85e
SHA1 hash:
9a7dc5a26040dc775c1b3854e6909dfd0adf84fc
Link:
https://www.unpac.me/results/dadf96aa-75ff-44d7-ade4-e9fa194db37d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219263/

Comments