MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
SHA3-384 hash: ad61e4a3f99d82fae87807f507910c6dfb8c984dc29fe40bcc57a66b5a4b9c678cfd1fd2d94910057ba19438f524c5ec
SHA1 hash: 8be902de9c32a4cef74883d1d55d5f96ebb93ad7
MD5 hash: 09c0cd0147e1d3cd7377e34064466074
humanhash: mississippi-illinois-music-nebraska
File name:09c0cd0147e1d3cd7377e34064466074.exe
Download: download sample
File size:350'720 bytes
First seen:2020-11-19 06:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7563a2579d4391796e271b5314b47a9
ssdeep 6144:L9A9tLbWR2DC/507aU9tpcoE4kxRrL8YWdWUF7lkkv+Shyi4lK7sZF:L+9tLbWRWmecfPgFsG9nW
Threatray 5 similar samples on MalwareBazaar
TLSH C274F112B6C1C033E59229758D5AC6B55E36BCB14A365AC73BC52ABC8F343D28B35B43
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/542245
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 320222 Sample: l4we5Xizhf.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 88 48 4cnx9s25gsvw.top 2->48 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 2 other signatures 2->58 8 l4we5Xizhf.exe 17 2->8         started        signatures3 process4 dnsIp5 50 4cnx9s25gsvw.top 45.139.186.121, 49734, 49735, 49736 HostingvpsvilleruRU Russian Federation 8->50 30 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 8->30 dropped 32 C:\ProgramData\...\appconfig.dll, PE32 8->32 dropped 60 Detected unpacking (changes PE section rights) 8->60 62 Detected unpacking (overwrites its own PE header) 8->62 13 WerFault.exe 9 8->13         started        16 WerFault.exe 9 8->16         started        18 WerFault.exe 9 8->18         started        20 6 other processes 8->20 file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 13->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 16->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->40 dropped 42 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->42 dropped 44 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->44 dropped 46 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 20->46 dropped 22 conhost.exe 20->22         started        24 reg.exe 20->24         started        26 conhost.exe 20->26         started        28 timeout.exe 20->28         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 02:01:28 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-6r4tnxmtke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
MD5 hash:
09c0cd0147e1d3cd7377e34064466074
SHA1 hash:
8be902de9c32a4cef74883d1d55d5f96ebb93ad7
Link:
https://www.unpac.me/results/8dc4d7b2-d245-4be8-a1a2-762f8a0c315d/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/8dc4d7b2-d245-4be8-a1a2-762f8a0c315d/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments