MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
SHA3-384 hash: 7b5b474984bdeb876955b843cdaca059d96bd30d0e6358a5e3cbd89b14f3048ca222765778d1a6f24c173c3760ca3e49
SHA1 hash: 4cabf30c3db8412d5291cbcfcb805014dc688ecc
MD5 hash: bc1ff4241bb44a223c13c459caccec1f
humanhash: muppet-beer-alpha-pluto
File name:bc1ff4241bb44a223c13c459caccec1f.exe
Download: download sample
File size:353'792 bytes
First seen:2020-11-19 06:10:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65cdd970d73381f4b594a626a242a94a (1 x DanaBot)
ssdeep 6144:T0A6TLdHVz3IPqSV8N++DSbXMKVS7PlKQ0wl3eMXZp0MUl:TB6TLdHVjIPTV0ebXDVAlKQDl3hXZ
Threatray 5 similar samples on MalwareBazaar
TLSH 2974F120B281C033E86196744D22CBF69F75F8341E56668B7BE85BBD5F313D29A36342
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/542255
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320226 Sample: Q09SIbaZaX.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 92 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 2 other signatures 2->48 6 Q09SIbaZaX.exe 17 2->6         started        process3 dnsIp4 38 4cnx9s25gsvw.top 45.139.186.121, 49749, 49750, 49751 HostingvpsvilleruRU Russian Federation 6->38 40 192.168.2.1 unknown unknown 6->40 20 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 6->20 dropped 22 C:\ProgramData\...\appconfig.dll, PE32 6->22 dropped 50 Detected unpacking (changes PE section rights) 6->50 52 Detected unpacking (overwrites its own PE header) 6->52 54 Contains functionality to detect sleep reduction / modifications 6->54 11 WerFault.exe 9 6->11         started        14 WerFault.exe 9 6->14         started        16 WerFault.exe 9 6->16         started        18 4 other processes 6->18 file5 signatures6 process7 file8 24 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 11->24 dropped 26 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 14->26 dropped 28 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->28 dropped 30 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->30 dropped 32 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->36 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 02:07:46 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-ejgcntxrws/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
MD5 hash:
bc1ff4241bb44a223c13c459caccec1f
SHA1 hash:
4cabf30c3db8412d5291cbcfcb805014dc688ecc
Link:
https://www.unpac.me/results/ed33f647-9ebe-4080-a8d5-02b6d53491dc/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/ed33f647-9ebe-4080-a8d5-02b6d53491dc/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments