MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CMSBrute


Vendor detections: 13


Intelligence 13 IOCs YARA 21 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d
SHA3-384 hash: c0f301490f975fdab7a17e66560c7e683df19d396cc9aeb9daa054fc9ac0da87aa7a184ba4f3985c0a26c70c939801ac
SHA1 hash: 11c6df477c1d8b95d7c6313f05cd759df34cdc4e
MD5 hash: 3bf670e5e1c152674b1a6f0fd3ed67f1
humanhash: august-west-enemy-summer
File name:3bf670e5e1c152674b1a6f0fd3ed67f1
Download: download sample
Signature CMSBrute
Create hunting rule
File size:2'031'104 bytes
First seen:2023-09-12 06:53:23 UTC
Last seen:2023-09-12 07:37:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9510dea81cc5ce11a4de430720afcd42 (2 x RecordBreaker, 2 x Amadey, 1 x CMSBrute)
ssdeep 49152:/jdg0nPwhegnBrxZPlH/+ui3T4Ga0e0MTDD4yfYyHs8Xu3/:720nPcnZxZPZgeccD4yfnn+/
Threatray 2'162 similar samples on MalwareBazaar
TLSH T1689512C3E2E0BC60D4560A729E2EB5A56E1DFD204F67F66AE3586A1F05BD2E1D173300
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 0008284148180800 (1 x CMSBrute)
Reporter zbetcheckin
Tags:32 CMSBrute exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
281
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
tinba
Create hunting rule
ID:
1
File name:
3bf670e5e1c152674b1a6f0fd3ed67f1
Verdict:
Malicious activity
Analysis date:
2023-09-12 06:56:22 UTC
Tags:
tinba trojan
Link:
https://app.any.run/tasks/6e22b55c-3ec7-4d23-bcc8-7caf78185d6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448056/
Detection(s):
SecuriteInfo.com.Win32.CrypterX-gen.4848.23443.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware lolbin packed shell32
Link:
https://www.filescan.io/uploads/65000b0b1a86bbaa1f823ace/reports/67cddb9e-5d6b-440b-8ffb-fe660ff2a740/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8d439cb6-1981-4acb-8845-9b684f9eb041
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1307685
Signature
Antivirus / Scanner detection for submitted sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Drops PE files with benign system names
Found Tor onion address
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May use the Tor software to hide its network traffic
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Snort IDS alert for network traffic
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d/
Threat name:
Win32.Trojan.Smokeloader
Create hunting rule
Status:
Malicious
First seen:
2023-09-11 22:43:17 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
29 of 37 (78.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmrs6hbmphcooap2bt7y3fczxlnzcjch34al25dhvcp7nmvrpygq._file
Verdict:
malicious
Similar samples:
0dc23d6fa01f29fa19e27e2a5008d97129db31378964a1c04740253a6bd9e25e
CMSBrute
4bdfd777b579da177959f5854c16f8201e1501e0cf9394f4cfef13cd999fb9d9
CMSBrute
6f015d2ecc877fdc3d3afec3e0172b3d1c01f5a0a723c7c66780bb2ce6ef5290
CMSBrute
78bad359d0652879dec380fee12b68cc4e14e4f63f8c4e23e7b75bb5338d5924
CMSBrute
8e913674dd4c4b71d46bcf7abc736662f46940206b7dcac65214424cf4dd93ba
CMSBrute
9d314f7bb979238d429d772e28d7a679fd4391db5d3581666a7f4207061be785
CMSBrute
b195fcd8ae87ad764ca22c51b3d10978cedeb61796144c6c0f4711a7e211a7ff
CMSBrute
be0d143cba0eae01c30976430152c4c5b0fcb32c5afc43e599adb0c0c90cbfa8
CMSBrute
e6cbc93d3d96f32c0533c52a5259fcfeaa1e5fc93ce8316d9cd3d5162b45433f
CMSBrute
f279e23308e3d5f1a8b40722f199b6fb4deb543b3f6774d47ca3cd3b39653c1b
CMSBrute
+ 2'152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence upx
Link:
https://tria.ge/reports/230912-hqcdksec99/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
d23c43d020d761d9c9ceca1df78df750febebcabf38904039846b66edae12ce2
MD5 hash:
8c78903f8692d45ee4345d7c102efbb3
SHA1 hash:
8297ed7224e8c402a668ac5d3d117ef1e803f67e
Link:
https://www.unpac.me/results/f9342d9e-7c88-46fb-a261-e4e298efae09/
SH256 hash:
6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d
MD5 hash:
3bf670e5e1c152674b1a6f0fd3ed67f1
SHA1 hash:
11c6df477c1d8b95d7c6313f05cd759df34cdc4e
Link:
https://www.unpac.me/results/f9342d9e-7c88-46fb-a261-e4e298efae09/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b232f1c2c79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Havex
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:without_attachments
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the no presence of any attachment
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CMSBrute

Executable exe 6b232f1c2c79c4e701fa0cff8d9459badb912447df00bd7467a89ff6b2b17e0d

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2711251/
Cape
Cape
https://www.capesandbox.com/analysis/448056/

Comments


Avatar
zbet commented on 2023-09-12 06:53:24 UTC

url : hxxp://185.153.198.156/b.exe