MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180
SHA3-384 hash: d01773a8b6ca51803fe5ca7b3095dbc9b83d79b6a6cc18a59c1826791ecd99b8a2dd4d1c8bc8a39137f7c4a69db43bb4
SHA1 hash: 13575fd8a086da8e8f8cc2ddad291681b5849241
MD5 hash: 57370f75710415d74c099d88b528b533
humanhash: music-jig-four-tennessee
File name:la_marmit_du_chef.exe
Download: download sample
File size:5'851'686 bytes
First seen:2022-01-20 10:24:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 98304:SybJyK39qHMF5eWDgkO5IFvVdpHOSvTQTt4uZFw9ixAhphx737VGbBHFP:Sy0YqHu5ecgk6IFPpuETQTtVwAKhxpGf
Threatray 1'688 similar samples on MalwareBazaar
TLSH T11E46339348A28129C24B02B96067FDBA68150997D7CA2ECF0F74DF0D7DA9B5D42CDD4C
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (2'283 x Formbook, 981 x Loki, 803 x AgentTesla)
Reporter JAMESWT_WT
Tags:exe mainsample test1625092

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
la_marmit_du_chef.exe
Verdict:
Malicious activity
Analysis date:
2022-01-20 10:24:28 UTC
Tags:
loader
Link:
https://app.any.run/tasks/ff7961a2-9811-47f4-a076-332edfdcd068

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221032/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.42220477.4087.19311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a window
Сreating synchronization primitives
Launching a process
DNS request
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4901/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/61e93885d32385db630e36cd/reports/34df4406-6386-4054-9648-b03cf84a3446/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d9928d8c-34cb-442b-8731-51c79c3f5199
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/924219
Signature
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Suspicious Certutil Command
Tries to download files via bitsadmin
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556695 Sample: la_marmit_du_chef.exe Startdate: 20/01/2022 Architecture: WINDOWS Score: 76 71 Multi AV Scanner detection for submitted file 2->71 73 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->73 75 Sigma detected: Suspicious Certutil Command 2->75 9 la_marmit_du_chef.exe 18 2->9         started        12 cert.exe 1 2->12         started        process3 file4 57 C:\Users\user\AppData\Local\...\marmite.exe, PE32 9->57 dropped 59 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->59 dropped 15 cmd.exe 9 9->15         started        18 marmite.exe 2 9->18         started        79 Obfuscated command line found 12->79 21 cmd.exe 1 12->21         started        signatures5 process6 file7 83 Obfuscated command line found 15->83 85 Tries to download files via bitsadmin 15->85 87 Uses ping.exe to sleep 15->87 89 2 other signatures 15->89 23 cert.exe 1 15->23         started        26 PING.EXE 1 15->26         started        29 conhost.exe 15->29         started        40 3 other processes 15->40 55 C:\Users\user\AppData\Local\...\marmite.tmp, PE32 18->55 dropped 31 marmite.tmp 10 18->31         started        34 WMIC.exe 1 21->34         started        36 conhost.exe 21->36         started        38 find.exe 21->38         started        42 3 other processes 21->42 signatures8 process9 dnsIp10 77 Obfuscated command line found 23->77 44 cmd.exe 1 23->44         started        67 127.0.0.1 unknown unknown 26->67 69 192.168.2.1 unknown unknown 26->69 61 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 31->61 dropped 63 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 31->63 dropped 65 C:\Users\user\AppData\Local\...\_RegDLL.tmp, PE32 31->65 dropped file11 signatures12 process13 signatures14 81 Obfuscated command line found 44->81 47 WMIC.exe 1 44->47         started        49 conhost.exe 44->49         started        51 certutil.exe 2 44->51         started        53 3 other processes 44->53 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180/
Threat name:
Win32.Downloader.Leopard
Create hunting rule
Status:
Malicious
First seen:
2022-01-20 10:25:39 UTC
File Type:
PE (Exe)
Extracted files:
179
AV detection:
14 of 43 (32.56%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
2988763ce776fb8a9c79a2565384a30744cccd114cde7ee49b71965396f41bc7
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
3a6ca6a75525505890dc5d13ab3d888135b1cb4922605be0ee447579305b5e4b
48267b826fa7ec0cea8be878f979a967d0a091cccea9f226ad8d87b29dc94800
6e52d162baf265e070ec1a3147ad651d8bd8481d96b33cee1b89d84e9c92c5f3
7b24f14ce1d2cb622d41c4f8b6fe23edb1471ede00b0b0e8c6c37d8379f5f58a
dda839584708cdc28f165d0f387a43dbd32b7f56bba0af7c942ee2b751e9ab75
+ 1'678 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/220120-mfyw2shegp/
Behaviour
Creates scheduled task(s)
Download via BitsAdmin
Modifies data under HKEY_USERS
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Sets service image path in registry
suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
Unpacked files
SH256 hash:
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
MD5 hash:
293165db1e46070410b4209519e67494
SHA1 hash:
777b96a4f74b6c34d43a4e7c7e656757d1c97f01
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
SH256 hash:
204d8d2aab5e00484f8e355be1622fd70c6fff9cd3280b29d896a606a4210bff
MD5 hash:
3df90344818bd1e0c12c187ea978e1d6
SHA1 hash:
cbd26c2acd392f784a4845e2838d482b7434cd15
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
SH256 hash:
ffbe1e5a2f3cba8d4c953b7b93926f22e3793b5ac8bafa27954c2382c27a2b53
MD5 hash:
d8c0981ceef4dc4fa5405acbf3aa3eae
SHA1 hash:
39b55fba379043cb605f7fdf08cb934027a07d71
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
SH256 hash:
ff66b0d29e7f302abad16c2625261a01841218fc4e9fb548d37c949e078df03f
MD5 hash:
5987497280b0bfc5e81f4d3d76363ceb
SHA1 hash:
dfd1b1816b3af713cadbf5b93328da5532b55547
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
SH256 hash:
a6fe62d19b2b0f608fe3367ba5612742b9ff248b91a32b13fe189c891a22a00d
MD5 hash:
729168d16501390f6b7d92edb38886c4
SHA1 hash:
d244dc2a6325b22a02372c2b8e01ef4a3e51d10c
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
SH256 hash:
6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180
MD5 hash:
57370f75710415d74c099d88b528b533
SHA1 hash:
13575fd8a086da8e8f8cc2ddad291681b5849241
Link:
https://www.unpac.me/results/b45ccf16-3ff3-45d5-939e-6180b9603e23/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c37bb680dc9c51f9c15e988fa3586cb9f0fe8786f2b9c9408aa953894c10180

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/221032/

Comments