MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478
SHA3-384 hash: 2c835bcf2e4a995c8f2975818f3890ff692e5031a5771ac92257f203fc77adbb19c984f15345f1980070863442ae6ab9
SHA1 hash: 03cecb53b81f7f0fe8c3bcd1953e6b9caa6d3897
MD5 hash: 3dc0dee080fabc72eb28cc5fd88b4ece
humanhash: kansas-minnesota-colorado-jersey
File name:7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478
Download: download sample
File size:232'168 bytes
First seen:2020-11-15 23:21:08 UTC
Last seen:2020-11-16 00:42:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash baa634aefeafb4b29cdeb172fe1f2671 (11 x Gozi)
ssdeep 6144:+eT31XC4JiuMHgsmdbszoJDW0kiJLDnkt:+eSIiups5zt0kC0t
Threatray 6 similar samples on MalwareBazaar
TLSH F5346B203981C032E9720530A4FCBB66556A7FB60B7194EBB7B4BE5C7E292D24174F27
Reporter seifreed

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a window
DNS request
Sending an HTTP GET request
Sending an HTTP POST request
Creating a process from a recently created file
Creating a file
Moving a recently created file
Moving a file to the Windows subdirectory
Sending a custom TCP request
Deleting a recently created file
Replacing files
Sending a UDP request
Launching a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/536768
Signature
Contains functionality to infect the boot sector
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317483 Sample: vpa2IUrkCQ Startdate: 16/11/2020 Architecture: WINDOWS Score: 80 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 Sigma detected: Suspicious Program Location Process Starts 2->104 106 3 other signatures 2->106 10 vpa2IUrkCQ.exe 1 3 2->10         started        process3 dnsIp4 86 analytics.ns1.ff.avast.com 5.62.40.203, 443, 49724, 49765 AVAST-AS-DCCZ United Kingdom 10->86 88 v7event.stats.avast.com 10->88 90 2 other IPs or domains 10->90 64 avast_premium_secu...etup_online_x64.exe, PE32+ 10->64 dropped 112 Query firmware table information (likely to detect VMs) 10->112 114 Contains functionality to infect the boot sector 10->114 15 avast_premium_security_setup_online_x64.exe 2 35 10->15         started        file5 signatures6 process7 dnsIp8 92 5.62.40.213, 443, 49737 AVAST-AS-DCCZ United Kingdom 15->92 94 v7event.stats.avast.com 15->94 96 2 other IPs or domains 15->96 44 C:\Windows\Temp\...\Instup.exe, PE32+ 15->44 dropped 46 C:\Windows\Temp\...\Instup.dll, PE32+ 15->46 dropped 48 C:\Windows\Temp\...\HTMLayout.dll, PE32+ 15->48 dropped 98 Query firmware table information (likely to detect VMs) 15->98 20 Instup.exe 6 48 15->20         started        file9 signatures10 process11 dnsIp12 74 shepherd.ns1.ff.avast.com 5.62.25.40, 443, 49739, 49761 AVAST-AS-DCCZ United Kingdom 20->74 76 192.168.2.1 unknown unknown 20->76 78 7 other IPs or domains 20->78 50 C:\Windows\Temp\...\uat_6764.dll, PE32+ 20->50 dropped 52 C:\Windows\Temp\...\setgui_x64_ais-985.vpx, PE32+ 20->52 dropped 54 C:\Windows\Temp\...\instup_x64_ais-985.vpx, PE32+ 20->54 dropped 56 8 other files (none is malicious) 20->56 dropped 108 Query firmware table information (likely to detect VMs) 20->108 25 instup.exe 2 25 20->25         started        file13 signatures14 process15 dnsIp16 80 5.62.40.211, 443, 49780, 49789 AVAST-AS-DCCZ United Kingdom 25->80 82 ipm-provider.ns1.ff.avast.com 5.62.44.222, 443, 49778 AVAST-AS-DCCZ United Kingdom 25->82 84 23 other IPs or domains 25->84 62 C:\Windows\Temp\...\uat_3976.dll, PE32+ 25->62 dropped 110 Query firmware table information (likely to detect VMs) 25->110 30 aswOfferTool.exe 25->30         started        33 aswOfferTool.exe 2 25->33         started        35 aswOfferTool.exe 1 1 25->35         started        37 aswOfferTool.exe 25->37         started        file17 signatures18 process19 file20 66 C:\Users\Public\Documents\aswOfferTool.exe, PE32 30->66 dropped 68 C:\Windows\Temp\...\gcapi_16054927005372.dll, PE32 30->68 dropped 39 aswOfferTool.exe 30->39         started        70 C:\Windows\Temp\...\gcapi_16054926936700.dll, PE32 33->70 dropped 42 aswOfferTool.exe 33->42         started        72 C:\Windows\Temp\...\gcapi_16054926911620.dll, PE32 35->72 dropped process21 file22 58 C:\Users\Public\...\gcapi_16054927015552.dll, PE32 39->58 dropped 60 C:\Users\Public\...\gcapi_16054926954996.dll, PE32 42->60 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:52 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
4547f1174d1400e41a8072651b4a71c3b8a672f491163e9f09175c7838153200
55897dc537d308842906dbf8bffde6eb846cdd6b5e9584d7efcbe7c342d5e699
7d3beeb2ab6a13038bce7d962a19a4d004a4526934823e23b8f1c5f68ed1800e
9a5e050fb6470a1a5fabf963ce60a23237a0ef553c18875770cd4ada41c5b259
c6a810bf84ea3fd17a282d2a10bec7811c79ff751d5dbcf9eb84cff95f1fd5ba
ca3cc0fc804c69584801fc33a39effafb6b2a747f4ef0958348cc13eaa2c5e3f
Result
Malware family:
n/a
Score:
  10/10
Tags:
bootkit persistence
Link:
https://tria.ge/reports/201115-ddrlj2aqra/
Behaviour
Checks processor information in registry
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Checks for any installed AV software in registry
JavaScript code in executable
Writes to the Master Boot Record (MBR)
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478
MD5 hash:
3dc0dee080fabc72eb28cc5fd88b4ece
SHA1 hash:
03cecb53b81f7f0fe8c3bcd1953e6b9caa6d3897
Link:
https://www.unpac.me/results/577f669f-e762-4843-b1fc-aa079bb19203/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Babar
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments