MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GOBackdoor


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c
SHA3-384 hash: 0566a018221591e7fd6e8b806abdb3bf8309a23021be80dab7aaecc8abe2f67697504cf2b70b332f444927de1c7e2fde
SHA1 hash: 6650174c246618d01baea575a454d1ac05d412bf
MD5 hash: 4c9b190bf8872fd4ef2eadae3e689f3a
humanhash: seven-ack-ack-happy
File name:888.exe
Download: download sample
Signature GOBackdoor
Create hunting rule
File size:17'829'888 bytes
First seen:2025-04-18 07:16:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 326fd86b0f25d245881dc7a4ad1098db (2 x GOBackdoor)
ssdeep 196608:qEGssp/q7wEIDqJ5OXYVe+ROn14vmkl/MpgjfDNf8fuZ0m0zQDwVDNhhjcVwT1Of:omJL0aDkNfCwT1O
Threatray 21 similar samples on MalwareBazaar
TLSH T1ED07F821DA4E5715E08A44BD72EFF2F1746E273253FA50F3A6140D18852F9EA6930B3B
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 70ccb2b2b2b2cc70 (1 x GOBackdoor)
Reporter abuse_ch
Tags:exe GOBackdoor

Intelligence

File Origin
# of uploads :
1
# of downloads :
552
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
888.exe
Verdict:
No threats detected
Analysis date:
2025-04-18 07:38:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e287e0b-d3d3-438c-9fe0-a958ad2f8cf3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/2824/
Detection(s):
SecuriteInfo.com.BackDoor.Siggen2.5254.23439.14765.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680200f12203b3e10cd0d931
Tags:
virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc virtual
Link:
https://www.filescan.io/uploads/6801fc7d89fec6b88b9ef48f/reports/c703d8ba-7554-4541-81f4-6145ca85ce7e/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7dba11d5-15e7-456d-a8dd-22b9727a3a56
Result
Threat name:
GO Backdoor
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1668231
Signature
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Yara detected GO Backdoor
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1668231 Sample: 888.exe Startdate: 18/04/2025 Architecture: WINDOWS Score: 72 23 Antivirus / Scanner detection for submitted sample 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected GO Backdoor 2->27 29 Joe Sandbox ML detected suspicious sample 2->29 7 888.exe 1 2->7         started        11 888.exe 2->11         started        13 888.exe 2->13         started        process3 dnsIp4 19 185.21.13.144, 17377, 49693 ZEN-ASZenInternet-UKGB United Kingdom 7->19 21 46.8.236.61, 443, 49692 FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics Russian Federation 7->21 31 Suspicious powershell command line found 7->31 15 powershell.exe 1 11 7->15         started        signatures5 process6 process7 17 conhost.exe 15->17         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c/
Threat name:
Win32.Spyware.Lummastealer
Create hunting rule
Status:
Malicious
First seen:
2025-04-18 07:17:19 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rgbzxorb4ovicamdvfb52dnicaitctfxlzsadydzp3txcckt7zwa._file
Verdict:
malicious
Label(s):
ghostsocks
Create hunting rule
Similar samples:
357d73cb4755b349bc37c412e4119783f0f5ae4c9ce005e51c944559ab69b4df
GOBackdoor
61f93164a2658ba6c1198e4679cc349bc8e100f5538f3b61728ae1d8ba9fa67e
GOBackdoor
854d5ac4352c653dbb566a39de26f260181a666c01dc8f26347585bcd129a99d
GOBackdoor
90b3a30668871e1af9a1b449466589aa7f1096c7ec4a016394565d7d156f4451
GOBackdoor
93c71027c0484c7be95f7285b2fe668b60b3bec52b0f57d0deb01fcdfe111a89
GOBackdoor
c67e82a5d7614d4ab31781c392d91de7ed5dc8fa5751c2db8c8cf7382954f13f
GOBackdoor
d460044a5b2f4c50ef44ed82d6e52734e296cbc7bbbdfd7eab10e785e49807cf
GOBackdoor
error
GOBackdoor
f3584fb954571db60dddaad92fc8cd0f52446ab3d136d4f6e8aba63aa6bdb2f1
GOBackdoor
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250418-h4fyxsymz2/
Behaviour
Program crash
System Location Discovery: System Language Discovery
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01d73134-fe87-4143-876f-0e1cd5c8be9b
Unpacked files
SH256 hash:
89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c
MD5 hash:
4c9b190bf8872fd4ef2eadae3e689f3a
SHA1 hash:
6650174c246618d01baea575a454d1ac05d412bf
Link:
https://www.unpac.me/results/9f9c43e5-6987-4235-b109-49f361524c74/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

GOBackdoor

Executable exe 89839bba21e3aa810183a943dd0da81011314cb75e6401e0797ee7710953fe6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3481114/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/2824/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments