MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b
SHA3-384 hash: 545bea85e1312166ebca563e44380543295d8b426f4b4a0640d47df559ffe402d126af6114406aeca62e545f6f6b3312
SHA1 hash: f6c13694264250999452e21f7a16e964d285d9dd
MD5 hash: 18edbcbdf4f3a5975a3f8d98c70f5b97
humanhash: purple-kilo-mike-bravo
File name:18edbcbdf4f3a5975a3f8d98c70f5b97.exe
Download: download sample
File size:3'369'836 bytes
First seen:2021-04-28 08:37:32 UTC
Last seen:2021-04-28 09:01:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ced282d9b261d1462772017fe2f6972b (127 x Formbook, 113 x GuLoader, 70 x RemcosRAT)
ssdeep 98304:qHyV1sLT+Zuy27uWW9IoKMNITUERkzmAP:q/LT8uy2S9IF9IERk1P
Threatray 8 similar samples on MalwareBazaar
TLSH 55F51223AB01C44AE3A54AB8E4B1FF950B5C6E357E67C13EB57BB960F2B4B901C06057
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
@bisibi.exe
Verdict:
Malicious activity
Analysis date:
2021-04-24 10:59:15 UTC
Tags:
trojan dtloader loader rat redline
Link:
https://app.any.run/tasks/1680fc01-ed75-43ec-8459-64f4fc1f55a1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/144884/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/700258
Signature
Connects to many ports of the same IP (likely port scanning)
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 399045 Sample: nIi5WQsQ19.exe Startdate: 28/04/2021 Architecture: WINDOWS Score: 84 42 clientconfig.passport.net 2->42 56 Multi AV Scanner detection for submitted file 2->56 58 Connects to many ports of the same IP (likely port scanning) 2->58 60 PE file has a writeable .text section 2->60 9 nIi5WQsQ19.exe 23 2->9         started        signatures3 process4 file5 26 C:\Users\user\...\FactoryProtectionTool.exe, PE32 9->26 dropped 28 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32+ 9->28 dropped 30 C:\Users\user\AppData\...\php_sodium.dll, PE32+ 9->30 dropped 32 9 other files (none is malicious) 9->32 dropped 12 FactoryProtectionTool.exe 6 42 9->12         started        process6 dnsIp7 44 start.mil.ug 91.208.127.63, 21, 49734, 49735 AVTOSOYUZ-PLUS-ASRU Ukraine 12->44 46 iplogger.org 88.99.66.31, 443, 49732, 49733 HETZNER-ASDE Germany 12->46 34 C:\ProgramData\Data\Database.exe, PE32+ 12->34 dropped 36 C:\Users\user\AppData\Local\...\7zxa[1].dll, PE32 12->36 dropped 38 C:\ProgramData\Data\ssleay32.dll, PE32 12->38 dropped 40 7 other files (none is malicious) 12->40 dropped 62 May check the online IP address of the machine 12->62 17 Database.exe 12->17         started        20 cmd.exe 1 12->20         started        file8 signatures9 process10 signatures11 48 Multi AV Scanner detection for dropped file 17->48 50 Query firmware table information (likely to detect VMs) 17->50 52 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->52 54 2 other signatures 17->54 22 taskkill.exe 1 20->22         started        24 conhost.exe 20->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-04-20 19:24:54 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  1/5
Verdict:
suspicious
Similar samples:
2ad9f7f159286d1b07d913e0172e5cdcb8694f2f69a71f49118f1b9011cb6366
30c4e638fc8774dac873b3b30519dd0b72c08c430ab1f4591333028143bdca4e
6041e41669928be868b47f727c361e53a557d8cc22f1b206534d639576a49b6f
7632419ccba76c97ac9e15925625d88e18fe4efefaf5a04e3182a6048338f301
8f7d8a0885eafdb35c4e33f23733e53df213e4618e3c403536978a26a9ed93ce
95b5d0e36464afc8391a9d056926e5859506ead18937669554bde42f7a6d135b
cb6ae4487a5d4a80e647c196c959e566611f3d3ddd82fc76ced53b6d65808ece
f3a4a8572488cc3b5386de0d772753a01b1d5c0c9d06fe4979b60215e01c32e0
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210428-wghglhv6na/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
4d9aef45d813cbbf2764aacf01f699936a3fe111d0d73f631947e123d80648f8
MD5 hash:
09aed288899cbcbe45a6bee3bbfdb7d3
SHA1 hash:
a6ffcfd4e694b4581d2543955d51c5bbe97b277e
Link:
https://www.unpac.me/results/15a86c36-ce76-4110-9101-85b7165ff34f/
SH256 hash:
5b12199ea42c690bbeba964ab2c80e5b8c09c568878d6cf77ffe651d18c290df
MD5 hash:
697d0925012b6e82c275773fa50c9f47
SHA1 hash:
75b655346518a190d0eb9f910de00a4b861f13ce
Link:
https://www.unpac.me/results/15a86c36-ce76-4110-9101-85b7165ff34f/
SH256 hash:
4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b
MD5 hash:
18edbcbdf4f3a5975a3f8d98c70f5b97
SHA1 hash:
f6c13694264250999452e21f7a16e964d285d9dd
Link:
https://www.unpac.me/results/15a86c36-ce76-4110-9101-85b7165ff34f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4e2a80e4ce63746d836930fc3d9f4db8775f12b71a417c201418879bc143139b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1178230/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/144884/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-28 09:01:26 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0032.001] Data Micro-objective::CRC32::Checksum
2) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0045] File System Micro-objective::Copy File
6) [C0046] File System Micro-objective::Create Directory
7) [C0048] File System Micro-objective::Delete Directory
8) [C0047] File System Micro-objective::Delete File
9) [C0049] File System Micro-objective::Get File Attributes
10) [C0051] File System Micro-objective::Read File
11) [C0050] File System Micro-objective::Set File Attributes
12) [C0052] File System Micro-objective::Writes File
13) [E1510] Impact::Clipboard Modification
14) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process