MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lobshot


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134
SHA3-384 hash: d81dab2cbcdc267faa03d7d119751aa714c2211f0def0d405862d6ca318c61903fe8390459a905f0ebf1d6fb840fa156
SHA1 hash: 2ca12e1bf681180799a2f277c13218418bb9f1bb
MD5 hash: 7104f635a41839bac7835703f06f744e
humanhash: washington-utah-saturn-nuts
File name:7104f635a41839bac7835703f06f744e
Download: download sample
Signature Lobshot
Create hunting rule
File size:97'280 bytes
First seen:2023-07-05 07:43:13 UTC
Last seen:2023-07-05 08:39:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 65624f92376796124f44332f088e6bfd (1 x Lobshot)
ssdeep 1536:auj56ycNa0SNndwAhRvTlrYZUkGnP3+RBJWPnhdTW8tBniRgR:auj5+NJINhRvTHlnP3+RB4pYwBi
Threatray 5 similar samples on MalwareBazaar
TLSH T1A8936B00F6D49ABEFC32403564DAB773452DBA382B1D0DE3AD4D6942E5122C12B763EB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter zbetcheckin
Tags:32 exe Lobshot

Intelligence

File Origin
# of uploads :
2
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7104f635a41839bac7835703f06f744e
Verdict:
Malicious activity
Analysis date:
2023-07-05 07:43:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0827b25b-f0d6-4126-92ce-9f135408b448

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/407406/
Detection(s):
SecuriteInfo.com.Variant.Lazy.271868.13008.6080.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process with a hidden window
Creating a file
Searching for synchronization primitives
Running batch commands
Launching a process
Sending a custom TCP request
Creating a process from a recently created file
Moving a recently created file
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Adding an exclusion to Microsoft Defender
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95590/overview
Behaviour
MalwareBazaar
CheckComputerName
CheckHostName
CheckUsername
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
darkvnc lolbin shell32
Link:
https://www.filescan.io/uploads/64a51f459d2b91874b442ab7/reports/ff5e7e36-eb2c-4667-84cc-d752a10d7876/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkVNC
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5f4d939b-b02e-42bb-91bd-f67796d680d6
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1267027
Signature
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to modify clipboard data
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Tries to access browser extension known for cryptocurrency wallets
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267027 Sample: FOd5nH2tbD.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 92 58 Antivirus / Scanner detection for submitted sample 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 9 FOd5nH2tbD.exe 1 2 2->9         started        process3 file4 52 C:\ProgramData\TrRJLfmPbPyzKCdX.exe, PE32 9->52 dropped 54 C:\...\TrRJLfmPbPyzKCdX.exe:Zone.Identifier, ASCII 9->54 dropped 74 Suspicious powershell command line found 9->74 76 Contains functionality to modify clipboard data 9->76 78 Adds a directory exclusion to Windows Defender 9->78 13 cmd.exe 1 9->13         started        15 cmd.exe 1 9->15         started        18 powershell.exe 20 9->18         started        signatures5 process6 signatures7 20 TrRJLfmPbPyzKCdX.exe 1 13->20         started        25 conhost.exe 13->25         started        27 timeout.exe 1 13->27         started        80 Uses cmd line tools excessively to alter registry or file data 15->80 29 conhost.exe 15->29         started        31 reg.exe 1 1 15->31         started        33 timeout.exe 1 15->33         started        35 conhost.exe 18->35         started        process8 dnsIp9 56 91.235.136.155, 443, 49690, 49691 SERVERIUS-ASNL Russian Federation 20->56 50 C:\...\TrRJLfmPbPyzKCdX.exe.15732c6f (copy), PE32 20->50 dropped 66 Antivirus detection for dropped file 20->66 68 Multi AV Scanner detection for dropped file 20->68 70 Suspicious powershell command line found 20->70 72 2 other signatures 20->72 37 cmd.exe 1 20->37         started        40 powershell.exe 21 20->40         started        file10 signatures11 process12 signatures13 64 Uses cmd line tools excessively to alter registry or file data 37->64 42 conhost.exe 37->42         started        44 reg.exe 1 37->44         started        46 timeout.exe 1 37->46         started        48 conhost.exe 40->48         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-07-05 07:44:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbic6j5lapbuv56o3iv3n7wnuqvoej7hj2ff4urunw3utyqa2e2a._file
Verdict:
malicious
Similar samples:
052cee21bf536d51bcaf66edc262a1c391dea5a941cda58b83bf1eea43037169
Lobshot
1560ff3abacb50dc796f76eada2f8d8c020fa3e4a1f57b806029f44fca5682ae
Lobshot
17291fc45dc342a6ce4309dd4b77cd094c564fad14c212bca827770daf7207d4
Lobshot
ab6b1c0ac8e5e5bf78350363d03f41b777ec259df5c6e8ccbd781ec929495462
Lobshot
df4e3821c4ee2fb3620f9afa1188a552b960ed737d5d4d96adff38360fc47ee8
Lobshot
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230705-jktlcacg3v/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134
MD5 hash:
7104f635a41839bac7835703f06f744e
SHA1 hash:
2ca12e1bf681180799a2f277c13218418bb9f1bb
Link:
https://www.unpac.me/results/3122caf6-31ec-4a49-85e9-34206b789b97/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Windows_Trojan_Lobshot_013c1b0b
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Lobshot

Executable exe 88502f27ab03c34af7ceda2bb6fecda42ae227e74e8a5e52346db749e200d134

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2676907/
Cape
Cape
https://www.capesandbox.com/analysis/407406/

Comments


Avatar
zbet commented on 2023-07-05 07:43:13 UTC

url : hxxp://5.182.38.138/setop.exe