MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31
SHA3-384 hash: e35fef6221ffd7e5608cbd5a7e2b87650708fb166ef41bb4e747b770e4cb73522a19c4844f03ea92f59ce86dd594b909
SHA1 hash: 26072cb9a35ebfb90d37803b3e2948dc1489bf9d
MD5 hash: 7cf4182db87387d8cc856324e0d6129e
humanhash: edward-princess-mockingbird-california
File name:7cf4182db87387d8cc856324e0d6129e.exe
Download: download sample
File size:899'584 bytes
First seen:2023-06-22 18:00:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0330cb8599ebc8e2472474ca94c4c09a
ssdeep 24576:M4lu+hE3lmon4E4itbXyXulV6TS3jhlRTp:Tlu+W3IC4UbQulV6TsFlR
Threatray 24 similar samples on MalwareBazaar
TLSH T17C15010075C08872ED6301335EFC9DB8576DBA520B6526FB13D85EBE8FE52E2E632911
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7cf4182db87387d8cc856324e0d6129e.exe
Verdict:
No threats detected
Analysis date:
2023-06-22 18:01:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0049a27d-8bc5-4f77-80c0-18dc9115ffae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401729/
Detection(s):
SecuriteInfo.com.Variant.Babar.215418.3639.29269.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92150/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware lolbin packed
Link:
https://www.filescan.io/uploads/6494a7ae72b30d3d8e17c7d8/reports/23ffa787-c47c-40e6-9f26-7c6c4cb0b5f7/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Conti
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/201c65b5-d3ef-48ae-ab89-03f8962e3372
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1259925
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892945 Sample: f51xgkTHgm.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 52 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 6 f51xgkTHgm.exe 1 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        11 conhost.exe 6->11         started        file5 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->13 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-06-22 18:00:09 UTC
File Type:
PE (Exe)
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=od7nbcokxzyotlu42eprgbkichszsu2iu7ibfevnmlfq5nc4zuyq._file
Verdict:
unknown
Similar samples:
121312c1dcf375ac0ba310f43084b4d185639d615b1183c900a483ad16e92094
29f8caa4248a60f8e6d058fec89fd8679c7a7b695e30c3bb2582450864fc9585
427875607eaf3406b8a2212e6a4671bf6ded47f771f2bd39228014d05954214f
42b6e8227496414ba6c5eeeb5c77d2f281145f0c8901c948802c83f6564258da
5f4bfa1c4fc1b5d0f8dadb74ca35b3ee413ba48406704cef03276ee97a574474
bcf5157cb913dee02e6af79aa4fd3470b17f49e2cc06169b9f9b900cf4f0f9f6
bfa09378fbf5c19facce069caed42b282e1a137e9c0570b10196bafebcb7bda2
d75821f15f29a2031c22880cae112457067158c40f850a9d5eb065237bf05cce
e9f3ec46387776b505948a3e6dc2f327edb466fec966a43124f950d34d572b58
f07c60c0d59d24a06570825f8de8f5f7f306fb8477119025140e52a86741217c
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230622-wlb4xagc64/
Behaviour
Program crash
Unpacked files
SH256 hash:
70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31
MD5 hash:
7cf4182db87387d8cc856324e0d6129e
SHA1 hash:
26072cb9a35ebfb90d37803b3e2948dc1489bf9d
Link:
https://www.unpac.me/results/d90e053a-d01c-4017-847d-14cf8cc77a69/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/401729/
  
URLhaus
https://urlhaus.abuse.ch/url/2631490/
  
Delivery method
Distributed via web download

Comments