MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca
SHA3-384 hash: ebffad428d8d44654fadf567fd312ef310b55acbdaa0fafbfe2eb9df30545e736f530c0f9ba16906645f1b9840524dbe
SHA1 hash: 7bfba488061550cde468492b67659cd112ec09da
MD5 hash: 87f6774e25128d080fecd3fe5e15daa6
humanhash: twelve-magazine-leopard-timing
File name:87f6774e25128d080fecd3fe5e15daa6
Download: download sample
File size:376'832 bytes
First seen:2023-09-14 04:48:53 UTC
Last seen:2023-09-14 10:31:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9dcc2fb8fef0355edecee5c713257e9c
ssdeep 6144:YRQoL09mu6CHH9CZWUQKcSemuu6C3qECHH9CZWUQKcSemuu6C3qQc1:YWokcudCnx6C3fudCnx6C3Rc1
Threatray 1 similar samples on MalwareBazaar
TLSH T18F840151B1D18433EA3735311C91DBA50E2DFD610E61AEFB339066B90F356408AB9B7B
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4505/5/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon d5616a4c0d49b24a
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
293
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
87f6774e25128d080fecd3fe5e15daa6
Verdict:
Malicious activity
Analysis date:
2023-09-14 04:49:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/db0df2f8-945f-4837-b9a8-8249d0bc80b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448535/
Detection(s):
SecuriteInfo.com.FileRepMalware.25657.30435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dridex greyware icedid
Link:
https://www.filescan.io/uploads/650290c09bae8a378556651d/reports/bf156c51-0b05-4294-8ad7-5862e57300f5/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a3464889-1184-4af6-b5fc-bde8b995a14e
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1307732
Signature
Antivirus detection for URL or domain
Command shell drops VBS files
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1307732 Sample: O3oJFOMUO1.exe Startdate: 14/09/2023 Architecture: WINDOWS Score: 68 29 mgwdg.jungleheart.com 2->29 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Machine Learning detection for sample 2->37 9 O3oJFOMUO1.exe 2->9         started        signatures3 process4 signatures5 39 Obfuscated command line found 9->39 12 cmd.exe 1 9->12         started        process6 process7 14 cmd.exe 2 12->14         started        18 cmd.exe 3 2 12->18         started        20 conhost.exe 12->20         started        22 3 other processes 12->22 file8 27 C:\Users\Public\sm86fa81.vbs, ASCII 14->27 dropped 41 Command shell drops VBS files 14->41 24 wscript.exe 14 18->24         started        signatures9 process10 dnsIp11 31 mgwdg.jungleheart.com 206.71.149.162, 443, 49712, 49713 NTT-COMMUNICATIONS-2914US United States 24->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 04:49:06 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
10 of 21 (47.62%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jm2iuelirxmdx5mo363aedk5h5pkrtibpkxw76evsitdrfxqkxfa._file
Verdict:
unknown
Similar samples:
72793db7dff167110244048663cae9d74ff6d7bf994648bc000af55a50888338
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230914-ffnmracc33/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Unpacked files
SH256 hash:
4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca
MD5 hash:
87f6774e25128d080fecd3fe5e15daa6
SHA1 hash:
7bfba488061550cde468492b67659cd112ec09da
Link:
https://www.unpac.me/results/379e65a8-4fb6-4066-a011-97d5cf81ce8e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SUSP_ENV_Folder_Root_File_Jan23_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious file path pointing to the root of a folder easily accessible via environment variables
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4b348a11688dd83bf58edfb6020d5d3f5ea8cd017aaf6ff89592263896f055ca

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2711609/
Cape
Cape
https://www.capesandbox.com/analysis/448535/

Comments


Avatar
zbet commented on 2023-09-14 04:48:54 UTC

url : hxxp://84.54.50.102/k5.exe