MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837
SHA3-384 hash: 33319e3f610423f84d2628f92dc8769e65d94f02f063dbc321ff8d4335a6edf852b5827422316e4994c526b7e41e55a2
SHA1 hash: 6739fc00b013de378b79ebb759883f96da8c7b91
MD5 hash: 5bf0e67f2a413ef44ff365a9f28ba4ce
humanhash: lima-fruit-bacon-comet
File name:Isname.name
Download: download sample
Signature Ousaban
Create hunting rule
File size:12'151'888 bytes
First seen:2022-04-12 21:55:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b88830c772311172534a0269092f1b8c (1 x Ousaban)
ssdeep 196608:rea0/lFiriNDXbSOTVf/xdamo3Qvo8YMzsihz+AtehKUzzFhWxvDbmOvpOM7i7BK:ri/lF+iFXbSOTVf/xdaL18TzsihaAtes
Threatray 6 similar samples on MalwareBazaar
TLSH T180C63952E384943ADC2707368C378EA15837BE381D35496F6BAC392C1F77742692AE47
File icon (PE):PE icon
dhash icon dad2fce4e6c2e4d0 (1 x Ousaban)
Reporter dodosec
Tags:exe ousaban signed

Code Signing Certificate

Organisation:ObviousIdea
Issuer:Thawte Code Signing CA - G2
Algorithm:sha1WithRSAEncryption
Valid from:2011-02-15T00:00:00Z
Valid to:2012-02-15T23:59:59Z
Serial number: 50ff77b46da066fa84bb1501b89013f5
Thumbprint Algorithm:SHA256
Thumbprint: b04c91ac9586cfb706aed90f7362211b5731e4ff3dfb3a60c0db802630735f7c
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
dodo_sec
Final Ousaban payload, downloaded by 9091a791b900c6b7398b38b4641edff93036f83a36e1244594d5ecfd664b9931 and extracted from 0b36de4d494a750aa46e2c2ee60b515b30e5a86beb9de8142dad54aa79361eff

Intelligence

File Origin
# of uploads :
1
# of downloads :
412
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
MSIE9A.tmp
Verdict:
Malicious activity
Analysis date:
2022-03-28 22:19:07 UTC
Tags:
opendir evasion trojan
Link:
https://app.any.run/tasks/6e4d9e50-b7a0-41e8-b29f-3c8ff815770e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/263233/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending an HTTP GET request
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe datper expand.exe explorer.exe greyware keylogger overlay packed replace.exe shell32.dll stealer update.exe
Link:
https://www.filescan.io/uploads/6255f573ffe27d5119b9fe9c/reports/10cb0864-183a-4dec-9a7f-19da28ad1f15/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ObviousIdea.com
Create hunting rule
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e4d0a14-08a9-4331-b6ae-13f2d62c9c18
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/975787
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3lgvvxczi3ueipnmyaxouq5ylcnxfesubemkjaqsmnynjtmza3q._file
Verdict:
unknown
Similar samples:
2d1dfb2c2a0814b04eb6c744ddbaed8e352120adb5c6220371610f871da40a06
Ousaban
4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837
Ousaban
5e2367c794d63afa3ca19321a703d3b1cc974bf8bfdbc26bf01b1b741a189de1
Ousaban
9091a791b900c6b7398b38b4641edff93036f83a36e1244594d5ecfd664b9931
Ousaban
accb6b7f0cf949b35ce48fc284ab1b2c400cc1586f7643847583eba28084a86b
Ousaban
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/220412-1tbwbscbe5/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Enumerates physical storage devices
Unpacked files
SH256 hash:
4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837
MD5 hash:
5bf0e67f2a413ef44ff365a9f28ba4ce
SHA1 hash:
6739fc00b013de378b79ebb759883f96da8c7b91
Link:
https://www.unpac.me/results/f827514c-f5c0-439a-a4af-13e5d0627575/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Ousaban

Microsoft Software Installer (MSI) msi 9091a791b900c6b7398b38b4641edff93036f83a36e1244594d5ecfd664b9931

Ousaban

zip 0b36de4d494a750aa46e2c2ee60b515b30e5a86beb9de8142dad54aa79361eff

Ousaban

Executable exe 4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837

(this sample)

  
X
https://twitter.com/dodo_sec/status/1513920321707024386
  
Dropped by
SHA256 0b36de4d494a750aa46e2c2ee60b515b30e5a86beb9de8142dad54aa79361eff
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/263233/

Comments