MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc
SHA3-384 hash: b0a8b2d0f5d6ffb9f94ba379add893136bbd1c86ad08f525b02780c79c700f544bcfdbb18ee543d288e61b999191fd37
SHA1 hash: 757d174a82da0c8412b80c5afffdb4ffdb2a13f2
MD5 hash: a16e7e2cdb9571cf0470324984b53146
humanhash: uncle-coffee-cold-item
File name:opra.doc
Download: download sample
File size:214'016 bytes
First seen:2022-01-20 17:13:56 UTC
Last seen:2022-01-20 18:59:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c661725970e2285630167e2c43a72e6
ssdeep 3072:Ci4LLnlrIewazilkg1+1q7NvNNoLW0HHy185ofDkXvrdqcb2k/+kDeE5i/A7J:uLlrIgcvvNNqHH3GbuZq76h7
Threatray 444 similar samples on MalwareBazaar
TLSH T15E24CF0472A848B9ED77D5B8C6931682E1B63C101710EDEF03600376EF6EBE5657AF62
Reporter notajungman
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
opra.doc
Verdict:
No threats detected
Analysis date:
2022-01-20 18:03:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/09e69bd5-ca56-4b75-a706-a5b84ca185ca

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221183/
Detection(s):
SecuriteInfo.com.Win64.Kryptik.CVL.30526.4966.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4954/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61e99861d32385db630ff38c/reports/22f9eda7-875b-4ace-89d9-29a7a7360226/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df366e6b-3f29-48db-ab51-35bfde55109c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/924613
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557090 Sample: opra.doc Startdate: 20/01/2022 Architecture: WINDOWS Score: 52 28 Multi AV Scanner detection for submitted file 2->28 30 Sigma detected: Suspicious Call by Ordinal 2->30 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 6 other processes 8->16 process5 18 cmd.exe 1 10->18         started        20 rundll32.exe 12->20         started        process6 22 conhost.exe 18->22         started        24 rundll32.exe 18->24         started        26 choice.exe 1 18->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc/
Threat name:
Win64.Spyware.Bazarloader
Create hunting rule
Status:
Suspicious
First seen:
2022-01-20 17:14:10 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
16 of 28 (57.14%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
1c620f5c3a65d09cd30671a6ea697b47247f9df687ce9ff748ffb7dab9e92dd4
879e1d5a103b042c620b2c216a6ac707fdafb7e52c54f4a317107b4130158320
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26
c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff
d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac
d4032fbbc8d1d4d11c98b1b85801a5b5ce36042ef09b0f3118e7770827f160d8
d6c233bd2d8e9689d4579f3133d04f609a9731efe2129ae7f41c8fd196c2b50e
ee9a8a1a2081e841af1c0895e2cae936cb38231af59426d54c68d6a2357ac236
f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
+ 434 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220120-vrzxgsagg7/
Behaviour
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Sets service image path in registry
Unpacked files
SH256 hash:
4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc
MD5 hash:
a16e7e2cdb9571cf0470324984b53146
SHA1 hash:
757d174a82da0c8412b80c5afffdb4ffdb2a13f2
Link:
https://www.unpac.me/results/4fb4bd45-51fa-4743-b8c2-cda7f427e4f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4bbab985fdd9eee28a8a9951080d28c2b51de13ad5e42c471e9933d9b596eacc

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/221183/
  
URLhaus
https://urlhaus.abuse.ch/url/1993310/
  
Delivery method
Distributed via web download

Comments