MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PlagueBot


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
SHA3-384 hash: 6620c3c812a1b41d904d6c0a38e9765993c64da97f10d40bbefd6a26ccf51bc9e92be36e5ce59cccf03b8747efd1e872
SHA1 hash: 8ddb9f2a559f6af5ccaa04c8b5b589d216357340
MD5 hash: b7756f9d9e8c5f4ba2c930adb666fbae
humanhash: apart-music-seven-november
File name:b7756f9d9e8c5f4ba2c930adb666fbae
Download: download sample
Signature PlagueBot
Create hunting rule
File size:102'400 bytes
First seen:2022-10-19 07:17:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 1536:DQIAibOVOk3udovOyePC9Eop2h90L64QG9iDCzPgQD8Kg90a//MudDBG:DQ/ibOcIudovOy8CUwIOkCzgQq0UzxM
Threatray 688 similar samples on MalwareBazaar
TLSH T1BBA3CFB623E62E2CFBFB0F34DD7615244E39BD574A11C66E2A0140CF5AB19148EA1B32
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe PlagueBot

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b7756f9d9e8c5f4ba2c930adb666fbae
Verdict:
No threats detected
Analysis date:
2022-10-19 07:18:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d0870c58-4b51-42b9-9791-c4c78052e552

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321621/
Detection(s):
Win.Malware.Ursu-9794593-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a process with a hidden window
Blocking the Windows Defender launch
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
black evasive obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/634fa4ad898b0652a4b8ee10/reports/39879862-6ac1-4729-873a-91dceafe9f25/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
JigsawLocker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a218206f-6ca8-43aa-9256-17f684e5cd6f
Result
Threat name:
Blank Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1093281
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Disables Windows Defender (via service or powershell)
Encrypted powershell cmdline option found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Schedule system process
Uses schtasks.exe or at.exe to add and modify task schedules
Wscript starts Powershell (via cmd or directly)
Yara detected Blank Grabber
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 725903 Sample: s0Dc1YLder.exe Startdate: 19/10/2022 Architecture: WINDOWS Score: 100 69 blankadocn.in 2->69 71 ip-api.com 2->71 73 2 other IPs or domains 2->73 85 Multi AV Scanner detection for domain / URL 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 Antivirus detection for URL or domain 2->89 91 9 other signatures 2->91 9 s0Dc1YLder.exe 38 10 2->9         started        14 s0Dc1YLder.exe 2->14         started        signatures3 process4 dnsIp5 75 146.70.143.176, 49699, 49700, 49701 TENET-1ZA United Kingdom 9->75 63 C:\Users\user\AppData\Roaming\...\FILE.exe, PE32 9->63 dropped 65 C:\Users\user\AppData\Local\...\tmp7433.vbs, ASCII 9->65 dropped 67 C:\Users\user\AppData\...\s0Dc1YLder.exe.log, ASCII 9->67 dropped 93 Creates an undocumented autostart registry key 9->93 95 Uses schtasks.exe or at.exe to add and modify task schedules 9->95 97 Disables Windows Defender (via service or powershell) 9->97 16 wscript.exe 9->16         started        19 FILE.exe 9->19         started        22 powershell.exe 18 9->22         started        30 27 other processes 9->30 24 powershell.exe 14->24         started        26 powershell.exe 14->26         started        28 powershell.exe 14->28         started        32 3 other processes 14->32 file6 signatures7 process8 file9 77 Wscript starts Powershell (via cmd or directly) 16->77 79 Encrypted powershell cmdline option found 16->79 34 powershell.exe 16->34         started        37 powershell.exe 16->37         started        59 C:\Users\user\AppData\Local\...\blmkgrp.exe, PE32+ 19->59 dropped 61 C:\Users\user\AppData\...\blmkgrp[1].exe, PE32+ 19->61 dropped 81 Multi AV Scanner detection for dropped file 19->81 83 Powershell drops PE file 22->83 39 conhost.exe 22->39         started        41 conhost.exe 24->41         started        43 conhost.exe 26->43         started        45 conhost.exe 28->45         started        47 conhost.exe 30->47         started        49 26 other processes 30->49 51 2 other processes 32->51 signatures10 process11 file12 57 C:\Users\user\AppData\Local\DefaultDomain, PE32+ 34->57 dropped 53 conhost.exe 34->53         started        55 conhost.exe 37->55         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-19 07:43:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k7ufickwjpwrjuz5flrgmozlyzhzswemqozar6ijd3hk7byjpqnq._file
Verdict:
unknown
Similar samples:
054498f9520c77728c723a72e1657dd9371090e8c9ac67b53e888e5c0d03afed
PlagueBot
47dbb2594cd5eb7015ef08b7fb803cd5adc1a1fbe4849dc847c0940f1ccace35
PlagueBot
703b1802d40218a99be7cad5d4661db3d988bf23bd9fcae5f3f851089e4c2c24
PlagueBot
8fa6091ecf36c321aa568e76eab235f21ff0ca7e5906d75cb8e6c26abd2ef656
PlagueBot
a5e6caf0fc19953ef3c7ec323b851f1b14bde593f75d0113e0cada70880912df
PlagueBot
c7ccd6379627a10943964b592a5f38764ae1d0d0d39d17760940871fb3cd2958
PlagueBot
c86e66ff929bb7b66fa3a3dcbf12b2a39041ec1740cd5f748d4672bf06d6db5d
PlagueBot
+ 678 additional samples on MalwareBazaar
Result
Malware family:
plaguebot
Create hunting rule
Score:
  10/10
Tags:
family:orcus family:plaguebot botnet evasion persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/221019-h4yhzafaa6/
Behaviour
Creates scheduled task(s)
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Loads dropped DLL
Windows security modification
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Orcurs Rat Executable
PlagueBot Executable
Modifies Windows Defender Real-time Protection settings
Modifies security service
Orcus
Orcus main payload
PlagueBot
Malware Config
C2 Extraction:
146.70.143.176:81
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2445f3e7-aa91-4c25-bbb3-aec786d089e8
Unpacked files
SH256 hash:
57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b
MD5 hash:
b7756f9d9e8c5f4ba2c930adb666fbae
SHA1 hash:
8ddb9f2a559f6af5ccaa04c8b5b589d216357340
Link:
https://www.unpac.me/results/716f5a23-f25b-4c1c-b6b3-5582e54bb435/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:HKTL_NET_GUID_DarkFender
Create hunting rule
Author:Arnim Rupp
Description:Detects c# red/black-team tools via typelibguid
Reference:https://github.com/0xyg3n/DarkFender
Rule name:INDICATOR_SUSPICIOUS_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables containing artifcats associated with disabling Widnows Defender
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:SUSP_Reversed_Base64_Encoded_EXE_RID3291
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

PlagueBot

Executable exe 57e85409564bed14d33d2ae2663b2bc64f99588c83b208f9091eceaf87097c1b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2378022/
Cape
Cape
https://www.capesandbox.com/analysis/321621/

Comments


Avatar
zbet commented on 2022-10-19 07:17:46 UTC

url : hxxp://146.70.143.176/MAL/bin/virtulazation/DarkFender.exe