MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951
SHA3-384 hash: a024c29653bfafb180c0ff362b3c626e7d2d345c7d631ee3ac10d65110d1a6f308cbfa74b2b58397bd9ff846c26beb90
SHA1 hash: 494d827d162e1c5b9ceaa8941ff459ed8709a65f
MD5 hash: 1b1b7d74f802b78805f5aa248ead85e3
humanhash: robin-december-california-snake
File name:1b1b7d74f802b78805f5aa248ead85e3.exe
Download: download sample
File size:9'863'259 bytes
First seen:2022-06-22 14:49:50 UTC
Last seen:2022-06-22 15:57:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (389 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 196608:zztkPsTo5Mr2vh4xaBeMDDs2HwnaZbJleUVxVfxFis2/+zxE8FDZHuv5sp:z6coWLUBe0zwnKt3vVfxFiF+bruvip
TLSH T123A633036AC062B3D9323C375A89572154B93F55BBB5CADF7370790CE8A49C1DA307AA
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/282327/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.3092.9531.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62b32c2ce88d6da4ffbc8b46/reports/92144be6-22a8-4d44-b8eb-e1aa156bb7c6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6cb9f9ed-6fe8-4a32-904b-2f8fd93e5ccc
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
troj
Score:
32 / 100
Link:
https://www.joesandbox.com/analysis/1017993
Signature
May check the online IP address of the machine
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nsyr4pthpf7cmazrvy4zapg743akzb26aulk6f7djnlb3qbatfiq._file
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220622-r7pjxahbfj/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
6d3ed22ea76308b1671326e0bc9175ca1a0391c17bd476e6774149f40a406e61
MD5 hash:
86ef50ab97511b53efe4ca36ac7ce7d9
SHA1 hash:
a58b45ca70520e8ffbf7179c45bc45d3223b7ea8
Link:
https://www.unpac.me/results/be6e5137-caa3-4ed2-8917-06c8e7e1f28c/
SH256 hash:
6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951
MD5 hash:
1b1b7d74f802b78805f5aa248ead85e3
SHA1 hash:
494d827d162e1c5b9ceaa8941ff459ed8709a65f
Link:
https://www.unpac.me/results/be6e5137-caa3-4ed2-8917-06c8e7e1f28c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 6cb11e3e67797e260331ae39903cdfe6c0ac875e0516af17e34b561dc0209951

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/282327/
  
URLhaus
https://urlhaus.abuse.ch/url/2247288/
  
Delivery method
Distributed via web download

Comments