MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
SHA3-384 hash: 05928e530cc8f4df3d67904b7cdd8ea128108fd3d19f2ad246366b87617d1b25a70d94e781891eaeb30a0ae74b3a6de1
SHA1 hash: ac2de4ad1a8c659e5ca7cb688edd8658a23b2056
MD5 hash: 9c1b58af10b0f62a66656fd9ec892f96
humanhash: bluebird-wyoming-johnny-hotel
File name:6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
Download: download sample
File size:5'237'848 bytes
First seen:2021-07-12 07:09:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 49152:rL8rQpQkJA03lCJ1TfwJUjlF7Yn1TxghIYas9DZui7q/7FN2O7xCWTr474h5g+AX:X8iy03gAJUjlUPObUmqj7xg+AX
Threatray 202 similar samples on MalwareBazaar
TLSH T12E363B57F8A245FAC5BEF1308251A3227A717869833077D31F9496AB1A66FD07B3E310
Reporter JAMESWT_WT
Tags:BIOPASS exe signed

Code Signing Certificate

Organisation:Rhaon Entertainment Inc
Issuer:thawte SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-01-02T00:00:00Z
Valid to:2021-03-02T23:59:59Z
Serial number: 06808c5934da036a1297a936d72e93d4
Intelligence: 35 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b3ba6284885eadff7d2f7469c8c4aa2facc804ef21e54266fc543cc28e7c0cd4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
117
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
Verdict:
No threats detected
Analysis date:
2021-07-12 07:17:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/55156790-3e45-4e12-8532-818f4af75c0b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170951/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46606609.32681.15227.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Netbounce
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/87147bed-0865-40df-9f04-c903988c266d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/814626
Signature
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sigma detected: Execution from Suspicious Folder
Uses whoami command line tool to query computer and username
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447035 Sample: orhW4DgSpE.exe Startdate: 12/07/2021 Architecture: WINDOWS Score: 51 79 Multi AV Scanner detection for submitted file 2->79 81 PE file has a writeable .text section 2->81 83 Sigma detected: Execution from Suspicious Folder 2->83 8 orhW4DgSpE.exe 1 2->8         started        12 orhW4DgSpE.exe 501 2->12         started        14 orhW4DgSpE.exe 2 2->14         started        process3 dnsIp4 53 C:\Users\...\flashplayerpp_install_cn.exe, PE32 8->53 dropped 55 C:\Users\Public\BPS\V2\...\static_files.py, Python 8->55 dropped 57 C:\Users\Public\BPS\V2\engineio\socket.py, Python 8->57 dropped 65 272 other files (none is malicious) 8->65 dropped 16 init.exe 8->16         started        75 flashdownloadserver.oss-cn-hongkong.aliyuncs.com 47.75.19.237, 49730, 49732, 49733 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->75 59 C:\Users\Public\BPS\V2\init.exe, PE32 12->59 dropped 61 C:\Users\Public\BPS\V2\win32ts.pyd, PE32 12->61 dropped 63 C:\Users\Public\BPS\V2\win32process.pyd, PE32 12->63 dropped 67 195 other files (none is malicious) 12->67 dropped 18 init.exe 2 12->18         started        20 flashplayerpp_install_cn.exe 12->20         started        24 init.exe 2 14->24         started        file5 process6 dnsIp7 26 cmd.exe 16->26         started        28 conhost.exe 16->28         started        30 socketio.exe 16->30         started        32 cmd.exe 1 18->32         started        35 socketio.exe 111 18->35         started        37 conhost.exe 18->37         started        69 101.33.11.110 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 20->69 71 36d6250d.tweb.sched.ovscdns.com 211.152.136.71 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 20->71 73 7 other IPs or domains 20->73 85 Detected unpacking (changes PE section rights) 20->85 39 cmd.exe 24->39         started        41 conhost.exe 24->41         started        43 socketio.exe 24->43         started        signatures8 process9 signatures10 45 conhost.exe 26->45         started        77 Uses whoami command line tool to query computer and username 32->77 47 conhost.exe 32->47         started        49 conhost.exe 35->49         started        51 conhost.exe 39->51         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e/
Threat name:
Win64.Trojan.Staser
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 22:59:23 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
12 of 46 (26.09%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
30d9ffd4b92a4ed67569a78ceb25bb6f66346d1c0a7d6d6305e235cbdfe61ebe
69d930050b2445937ec6a4f9887296928bf663f7a71132676be3f112e80fe275
7d0d7d416db5bd7201420982987e213a129eef2314193e4558a24f3c9a91a38e
98a91356e0094c96d81bd27af407dd48c3c91aaf97da6794aeb303597a773749
9ff906ffcde32e4c6fb3ea4652e6d6326713a7fde8bb783b52f12a1f382f8798
bd8dc7e3909f6663c0fff653d7afbca2b89f2e9bc6f27adaab27f640ccf52975
c8542bffc7a2074b8d84c4de5f18e3c8ced30b1f6edc13047ce99794b388285c
cce6b17084a996e2373aaebbace944a17d3e3745e9d88efad4947840ae92fd55
e4109875e84b3e9952ef362abc5b826c003b3d0b1b06d530832359906b0b8831
fb812a2ccdab0a9703e8e4e12c479ff809a72899374c1abf06aef55abbbf8edc
+ 192 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210712-9ckjleqkpn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e
MD5 hash:
9c1b58af10b0f62a66656fd9ec892f96
SHA1 hash:
ac2de4ad1a8c659e5ca7cb688edd8658a23b2056
Link:
https://www.unpac.me/results/58013caa-d795-46e6-bc4b-efc151ef95e6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6ee8f6a0c514a5bd25f7a32210f4b3fe878d9d417a7ebe07befc285131bae10e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170951/

Comments