MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 870f6ee038047eaf74564a88e5720843676d449d4bfd7e893e0958851e7f5a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Predator


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 870f6ee038047eaf74564a88e5720843676d449d4bfd7e893e0958851e7f5a3c
SHA3-384 hash: 851581b0b96d222e7298aff61dbf3165100b1b21ce51011b66cd08aa8bb3eacdf4478af7c07ffccd67855eb22a4fd938
SHA1 hash: d6fc6a6c2eb4d93c3e8e8db500f665df4334f89c
MD5 hash: 125d0ec7cc2c470c5e22bb1d67440ce7
humanhash: venus-eighteen-montana-victor
File name:PO BNB Trends.exe
Download: download sample
Signature Predator
Create hunting rule
File size:1'387'520 bytes
First seen:2022-06-13 06:48:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:/yrs23VC3RDeJvrf8NdE9qXR5/jpL9g6uhU6WHV7CfEu3YVseSVHyY1p1WjFiYh+:/yrsSHrfSdE81V6iuASVSASF10ju8
Threatray 9'249 similar samples on MalwareBazaar
TLSH T11155F1073AC95AA4C2D876765FA8D69113F1E29B220CD78F2E8443D4DE523C77E0E25E
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon c89c98acacacbcac (31 x Loki, 23 x AgentTesla, 22 x AveMariaRAT)
Reporter abuse_ch
Tags:exe Predator

Intelligence

File Origin
# of uploads :
1
# of downloads :
258
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO BNB Trends.exe
Verdict:
Malicious activity
Analysis date:
2022-06-13 06:52:45 UTC
Tags:
evasion
Link:
https://app.any.run/tasks/97bb6c1c-cd8a-496f-8ea7-911bef4e9812

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/279222/
Detection(s):
Win.Dropper.Smdd-6956905-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Creating a window
Running batch commands
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62a6de22a454cbb2f2f8b753/reports/88e49fcb-e186-42f2-9cdd-7b09821a7c51/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cb94b21e-3816-4244-9966-8288e37cec48
Result
Threat name:
Predator
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1011768
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Predator
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 644266 Sample: PO BNB Trends.exe Startdate: 13/06/2022 Architecture: WINDOWS Score: 100 63 www.google.com 2->63 65 ip-api.com 2->65 81 Malicious sample detected (through community Yara rule) 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Yara detected AntiVM3 2->85 87 5 other signatures 2->87 10 PO BNB Trends.exe 15 4 2->10         started        signatures3 process4 dnsIp5 75 www.google.com 172.217.168.68, 443, 49742, 49856 GOOGLEUS United States 10->75 55 C:\Users\user\AppData\...\InstallUtil.exe, PE32 10->55 dropped 57 C:\Users\user\...\PO BNB Trends.exe.log, ASCII 10->57 dropped 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->105 15 cmd.exe 3 10->15         started        19 cmd.exe 1 10->19         started        file6 signatures7 process8 file9 59 C:\Users\user\AppData\Roaming\nadfiho.exe, PE32 15->59 dropped 61 C:\Users\user\...\nadfiho.exe:Zone.Identifier, ASCII 15->61 dropped 77 Uses ping.exe to sleep 15->77 21 nadfiho.exe 14 6 15->21         started        26 PING.EXE 1 15->26         started        28 conhost.exe 15->28         started        30 PING.EXE 1 15->30         started        79 Uses ping.exe to check the status of other devices and networks 19->79 32 reg.exe 1 1 19->32         started        34 PING.EXE 1 19->34         started        36 conhost.exe 19->36         started        signatures10 process11 dnsIp12 67 www.google.com 21->67 47 C:\Users\user\AppData\Local\...47BgshopUY.exe, PE32 21->47 dropped 89 Multi AV Scanner detection for dropped file 21->89 91 Machine Learning detection for dropped file 21->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 21->93 38 InstallUtil.exe 15 17 21->38         started        43 NBgshopUY.exe 21->43         started        69 192.168.2.1 unknown unknown 26->69 95 Creates an undocumented autostart registry key 32->95 71 127.0.0.1 unknown unknown 34->71 file13 signatures14 process15 dnsIp16 73 ip-api.com 208.95.112.1, 49919, 49926, 49927 TUT-ASUS United States 38->73 49 C:\Users\user\Desktop49ewtonsoft.Json.dll, PE32 38->49 dropped 51 C:\Users\user\...\update_221309.exe (copy), PE32 38->51 dropped 53 C:\Users\user\AppData\...53ewtonsoft.Json.dll, PE32 38->53 dropped 97 May check the online IP address of the machine 38->97 99 Tries to harvest and steal browser information (history, passwords, etc) 38->99 101 Antivirus detection for dropped file 43->101 103 Multi AV Scanner detection for dropped file 43->103 45 NBgshopUY.exe 43->45         started        file17 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/870f6ee038047eaf74564a88e5720843676d449d4bfd7e893e0958851e7f5a3c/
Threat name:
ByteCode-MSIL.Ransomware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-06-13 06:03:01 UTC
File Type:
PE (.Net Exe)
Extracted files:
111
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4hw5ybyar7k65cwjkeok4qiintw2re5jp6x5cj6bfmikht7li6a._file
Verdict:
malicious
Similar samples:
1628bdc82fda80f4a5bc04a8781214c885d3b5f08aed4fba21ab66a5f73c3f06
Predator
1950a5e693e7b214a5b20a07920f623e422e3c466369197c0f76c5f62e3396df
Predator
af76a6f7dd8cdb56461666edd2179ee0aefd6c773bbbbd2b7f55d03326cc6510
Predator
b72e48f5e44ac62ff8a6946d030f1d156d0ecd2c6f6a38e42df69b1290d7fd7e
Predator
c14b0b8755871a595d9e9ae5aaa00dfc611a36b6198d5703b38c535e31688675
Predator
dba69ac53609fa23cfbcfdd0eca6429d887a131873c06b2caca27d1319969262
Predator
f62eb2c218ce5b7958aa7fcd2aa5c604fcc571e10bb4c373bb396d9e85733e44
Predator
+ 9'239 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection discovery persistence spyware stealer
Link:
https://tria.ge/reports/220613-hlb71secdq/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
870f6ee038047eaf74564a88e5720843676d449d4bfd7e893e0958851e7f5a3c
MD5 hash:
125d0ec7cc2c470c5e22bb1d67440ce7
SHA1 hash:
d6fc6a6c2eb4d93c3e8e8db500f665df4334f89c
Link:
https://www.unpac.me/results/71654dff-4de7-495b-bc74-e70510cca8bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/870f6ee038047eaf74564a88e5720843676d449d4bfd7e893e0958851e7f5a3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
Author:ditekSHen
Description:Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many VPN software clients. Observed in infosteslers
Rule name:MAL_Lokibot_Stealer
Create hunting rule
Description:Detects Lokibot Stealer Variants
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Redline_Stealer_Monitor
Create hunting rule
Description:Detects RedLine Stealer Variants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/279222/

Comments