MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3
SHA3-384 hash: 9eb9aa9aba0fe1269dee000f04ea71db869f4013a81187ae4098aae1bacd3706f5bd7c9568b36cecdeaf692e83a2fbad
SHA1 hash: d6cddf472731e143e1f5191394829c02a54bf429
MD5 hash: ccc9b019a018122f22e26d9d37ca3ece
humanhash: beryllium-sink-arkansas-alanine
File name:ccc9b019a018122f22e26d9d37ca3ece
Download: download sample
File size:2'061'621 bytes
First seen:2022-05-18 11:20:35 UTC
Last seen:2022-05-18 11:58:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:zry2uXzmwLUCYibhA7b67S2tfd+XW1dphbHEai9K0YP9R/vAG:zun1K/GnTD1d3a9zYP9hAG
Threatray 1'439 similar samples on MalwareBazaar
TLSH T1C2950309A187E27BFCEC08F3445090D4C29C7FAA7B128DCDE97AD58A141F542B7B6D86
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ccc9b019a018122f22e26d9d37ca3ece
Verdict:
Suspicious activity
Analysis date:
2022-05-19 00:16:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a05e265d-9aaa-423a-8c1a-c77b98f780f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/272077/
Detection(s):
SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18718/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Gathering data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbb848e5-0fd8-404d-8571-de231e29f283
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/996729
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 629225 Sample: 4NOUcFLpl0 Startdate: 18/05/2022 Architecture: WINDOWS Score: 56 22 Antivirus detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 9 4NOUcFLpl0.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\C8uGz0.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3/
Threat name:
Win32.Backdoor.Quakbot
Create hunting rule
Status:
Malicious
First seen:
2022-05-18 12:12:08 UTC
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0de06f35a5c31c70dd592e15c7ebe43fcacd0935828855f59df4b1d322e05bdd
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
2df4e3a4d7b6e5f33ef54c73ff86ffc76d8667ff587756a2887bf91687ab46a9
56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d
bb9377d30a6a0abe24b7eca70250745afc078f116871bb94b5d617a207b37a9c
c7304ff0966068d305da031f9da60c5b0ebe32ac43533d27f50190f1ba549347
dd2a5dcb0106f4c6e7b91ececccef95ff651daa95d78210d41287fe1de0cb639
f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19
+ 1'429 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220518-nfzn1shbc9/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Loads dropped DLL
Unpacked files
SH256 hash:
6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3
MD5 hash:
ccc9b019a018122f22e26d9d37ca3ece
SHA1 hash:
d6cddf472731e143e1f5191394829c02a54bf429
Link:
https://www.unpac.me/results/396bb456-407a-4236-8031-cdca94054e72/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6bbaa968ace0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6bbaa968ace0b8f18e386380f14d93bd3cb356978277e557f604731caf76e5a3

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2200573/
Cape
Cape
https://www.capesandbox.com/analysis/272077/

Comments


Avatar
zbet commented on 2022-05-18 11:20:52 UTC

url : hxxps://5kdfbjghdf5.monster/search_hyperfs_310.exe