MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 703cb19c4f58a9043fc687cc2a851640d6f79ff7e8afafdc41dfcb3c896df017. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 703cb19c4f58a9043fc687cc2a851640d6f79ff7e8afafdc41dfcb3c896df017
SHA3-384 hash: 863bbc3f6457d4b5917e5b8d50fd5cc530e3425920748a3e5f30b3481a1510275d375b43eb35d4894c39cfe926f2045c
SHA1 hash: e7f758090c7af782e5b6e64d2db16fd88f41e933
MD5 hash: 751798eb2b9f14d827c94d49e2764098
humanhash: tennessee-football-louisiana-jig
File name:751798eb_by_Libranalysis
Download: download sample
File size:1'535'442 bytes
First seen:2021-05-24 06:02:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:XDV1ZYKY6mufsH4zc+krMPQItIcSqrkE7YSQzzSKskiqXp7Xs9ZX6+:TV1ZYnuf64z8rhrc6E7PQzzlsk9Z5+
Threatray 127 similar samples on MalwareBazaar
TLSH 646533E6766C4814C2F40AB007F99FCB70FA7A595932E686B7868CCFB665503C1242FD
Reporter Libranalysis


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
B372F8B11308E0BED273A2959B57B648.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 04:46:03 UTC
Tags:
trojan loader evasion stealer rat redline phishing
Link:
https://app.any.run/tasks/1cb00400-345a-475f-8ec8-15b33744186f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Zeus
Create hunting rule
Link:
https://www.capesandbox.com/analysis/161231/
Detection(s):
PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Deleting a recently created file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a UDP request
Launching a process
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790052
Signature
Contains functionality to register a low level keyboard hook
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Submitted sample is a known malware sample
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 422448 Sample: 751798eb_by_Libranalysis Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Detected unpacking (changes PE section rights) 2->87 89 5 other signatures 2->89 12 751798eb_by_Libranalysis.exe 25 2->12         started        15 SmartClock.exe 2->15         started        17 SmartClock.exe 2->17         started        process3 file4 59 C:\Users\user\AppData\Local\Temp\...\vpn.exe, PE32 12->59 dropped 61 C:\Users\user\AppData\Local\Temp\...\4.exe, PE32 12->61 dropped 63 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 12->63 dropped 65 3 other files (none is malicious) 12->65 dropped 19 vpn.exe 7 12->19         started        21 4.exe 4 12->21         started        process5 file6 24 cmd.exe 1 19->24         started        55 C:\Users\user\AppData\...\SmartClock.exe, PE32 21->55 dropped 27 SmartClock.exe 21->27         started        process7 signatures8 95 Submitted sample is a known malware sample 24->95 97 Obfuscated command line found 24->97 99 Uses ping.exe to sleep 24->99 101 Uses ping.exe to check the status of other devices and networks 24->101 29 cmd.exe 3 24->29         started        32 conhost.exe 24->32         started        process9 signatures10 107 Obfuscated command line found 29->107 109 Uses ping.exe to sleep 29->109 34 Finita.exe.com 29->34         started        36 PING.EXE 1 29->36         started        39 findstr.exe 1 29->39         started        process11 dnsIp12 42 Finita.exe.com 34->42         started        71 127.0.0.1 unknown unknown 36->71 73 192.168.2.1 unknown unknown 36->73 57 C:\Users\user\AppData\...\Finita.exe.com, Targa 39->57 dropped file13 process14 dnsIp15 75 NYcZHXcaDtMcduAOJZ.NYcZHXcaDtMcduAOJZ 42->75 103 Writes to foreign memory regions 42->103 105 Injects a PE file into a foreign processes 42->105 46 attrib.exe 3 19 42->46         started        signatures16 process17 dnsIp18 77 ip-api.com 46->77 79 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 46->79 67 C:\Users\user\AppData\Local\...\iafbbsboc.vbs, ASCII 46->67 dropped 81 May check the online IP address of the machine 46->81 51 wscript.exe 12 46->51         started        file19 signatures20 process21 dnsIp22 69 iplogger.org 88.99.66.31, 443, 49720 HETZNER-ASDE Germany 51->69 91 System process connects to network (likely due to code injection or exploit) 51->91 93 May check the online IP address of the machine 51->93 signatures23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/703cb19c4f58a9043fc687cc2a851640d6f79ff7e8afafdc41dfcb3c896df017/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 06:03:11 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
28620b494558edf4a59fcf787b68ff2cda2f66c8e77a14a5e7045216e074df30
3411ffa29608d19dc77f53571010425fc94abd5dac92d6c2abffab6eb468c0ea
79a2018e882db101500e8f932582227c1b4ba49b8f85bb303b77a749d9647ad4
890cfa4c1baa1061d5f753c652262d07b81cf890b87cfcd15ad1c20eb1e6a28e
8cec146d7a7b594cf7748b35c63ea1fed2c994ef2cdbb5731f1b15d9c9fa1ee3
a5c463db805e356cb6e73e5676b397eab265e061c6797e27b626b8b4aee892a3
e9da1da3a4fb2050b9b17f5dbb1dd5f334f22637fc8186052d152cc631839f9b
f7538c1641168a73906c017c7e840834aa498335c83f4c344b7375272f02ad15
fa83c0bb710987cdf1c5ed15400d938bc818d20c34af9e96e8cd99fc2ac3a172
fc2a8472021c1f37e7ba14fd51259d37d10bd030ecd33134ebf42d3279ab860a
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/210524-egcedxc8qs/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/703cb19c4f58a9043fc687cc2a851640d6f79ff7e8afafdc41dfcb3c896df017

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/161231/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-24 07:38:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [F0002.002] Collection::Polling
2) [C0032.001] Data Micro-objective::CRC32::Checksum
3) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0045] File System Micro-objective::Copy File
7) [C0046] File System Micro-objective::Create Directory
8) [C0048] File System Micro-objective::Delete Directory
9) [C0047] File System Micro-objective::Delete File
10) [C0049] File System Micro-objective::Get File Attributes
11) [C0051] File System Micro-objective::Read File
12) [C0050] File System Micro-objective::Set File Attributes
13) [C0052] File System Micro-objective::Writes File
14) [E1510] Impact::Clipboard Modification
15) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
16) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
17) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
20) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
21) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0018] Process Micro-objective::Terminate Process