MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60
SHA3-384 hash: 726ed9c45c71d991c6b1540bdd20dfc950daa3f71e1598d285955d7ad5bbdc9d5d650363180a8545c0ef49f042c05d89
SHA1 hash: 1864c0d96ad1ea1c10db82b1613d68e9016e771c
MD5 hash: bfbbb8571fc1d4dbd8053e5154cda305
humanhash: ceiling-november-alanine-twenty
File name:bfbbb8571fc1d4dbd8053e5154cda305.exe
Download: download sample
File size:4'336'128 bytes
First seen:2021-10-18 11:33:35 UTC
Last seen:2021-10-18 13:31:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c58ba983cbcad8b3c06c5b4f999bb55 (1 x Mansabo)
ssdeep 98304:mEzyXcTqaJ9IyyPc2iBZ83hHla+FOuWyVO5mo8/xCV:NzlTq742iBIHllFOhyxXw
Threatray 37 similar samples on MalwareBazaar
TLSH T17416123352263D06F8E6CC3185377FE671F1126F5AF2A878A6CE69C325250A1E20F957
File icon (PE):PE icon
dhash icon f0c0fefcfefcfefc (1 x MeduzaStealer)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
Verdict:
Malicious activity
Analysis date:
2021-10-18 04:25:59 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/e41c4eaa-a026-492a-8bda-fbc74871b7f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198145/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware1.15325.15147.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a TCP request to an infection source
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed
Link:
https://www.filescan.io/uploads/616d5bb3db358dd15ebf4530/reports/f1542346-f8c3-44e1-a7cd-da2d0336f0f4/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c98fe866-ba00-4861-8403-fc4bcf247525
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872216
Signature
Creates autostart registry keys with suspicious names
Detected VMProtect packer
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potentially malicious time measurement code found
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504649 Sample: owWjOGiSan.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 69 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Detected VMProtect packer 2->73 75 3 other signatures 2->75 8 owWjOGiSan.exe 4 2->8         started        13 B58F21522968539009248.exe 2->13         started        15 B58F21522968539009248.exe 2->15         started        process3 dnsIp4 61 niggerburner.coin 8->61 55 C:\Users\user\...\B58F21522968539009248.exe, PE32 8->55 dropped 57 B58F21522968539009...exe:Zone.Identifier, ASCII 8->57 dropped 87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->87 89 Drops PE files to the document folder of the user 8->89 91 Tries to detect virtualization through RDTSC time measurements 8->91 93 Potentially malicious time measurement code found 8->93 17 B58F21522968539009248.exe 8->17         started        21 cmd.exe 1 8->21         started        63 niggerburner.coin 13->63 23 cmd.exe 13->23         started        65 niggerburner.coin 15->65 25 cmd.exe 15->25         started        file5 signatures6 process7 dnsIp8 59 niggerburner.coin 167.99.197.71, 63156, 80 DIGITALOCEAN-ASNUS United States 17->59 77 Multi AV Scanner detection for dropped file 17->77 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->79 81 Machine Learning detection for dropped file 17->81 85 3 other signatures 17->85 27 cmd.exe 17->27         started        30 WerFault.exe 17->30         started        33 notepad.exe 17->33         started        35 WerFault.exe 17->35         started        83 Encrypted powershell cmdline option found 21->83 37 powershell.exe 26 21->37         started        39 conhost.exe 21->39         started        41 powershell.exe 23->41         started        43 conhost.exe 23->43         started        45 2 other processes 25->45 signatures9 process10 dnsIp11 95 Encrypted powershell cmdline option found 27->95 47 conhost.exe 27->47         started        49 powershell.exe 27->49         started        67 192.168.2.1 unknown unknown 30->67 97 Uses netsh to modify the Windows network and firewall settings 37->97 99 Modifies the windows firewall 37->99 51 netsh.exe 37->51         started        53 netsh.exe 41->53         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60/
Threat name:
Win32.Trojan.Tasker
Create hunting rule
Status:
Malicious
First seen:
2021-10-18 11:27:21 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
14c9d0fb3da03dbd8095865240e1b3456a78ab740b1b46526573992b48eed0cf
196de41048232f60a7d93e73e7dd03bd524a79217c3408b98e69b855c7f83504
4f4a33f70099855f5f503716515f388da3a5daa1e2fac59ec6c881e89ef7d072
7f588ecbff9405b87fa5b809b52d0b667f19a09e47bafc2cf1f5f9d5f19f16c1
a98b37b337927ef6cea8a053a4ea676646de4dfbf6ce9619593246a1ecc362b6
ae74fa3656db93c35b26ed229568607bb9c20684818ad072b95aefb585c63a08
b0bc5a3dae0127da8f7743df8dc4014e9ba08c5a29928448aed8764242050da2
ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
f1aae79787fff8edd5f6769ebecf43eb5a94d392cb3723810a66dd9868ec2925
f4664c5755201698e642717b53a4f091908cba27ee4750ca6be358567823822a
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence suricata vmprotect
Link:
https://tria.ge/reports/211018-nn88esedfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks BIOS information in registry
Loads dropped DLL
Modifies Windows Firewall
VMProtect packed file
Executes dropped EXE
suricata: ET MALWARE Generic .bin download from Dotted Quad
Unpacked files
SH256 hash:
1136275c46601cb7c41fea679827fe7c1f7537a431c9290be6c98027c7934f3c
MD5 hash:
bb33149355d86200429d7afeffbf3ab5
SHA1 hash:
6c0ea5fe103cca44b356069dec6db5d61c867097
Link:
https://www.unpac.me/results/d633f7af-50cf-4f9f-8f4a-f999211dcdb7/
SH256 hash:
e73b4727b79070137fe08884901aa771fc9be7585e57193c1305d4d64f8544ad
MD5 hash:
fba22ce7878450ce113e00cfaf286c3c
SHA1 hash:
a6c421654f091ef04dfd2dbc55a180f2806156ac
Link:
https://www.unpac.me/results/d633f7af-50cf-4f9f-8f4a-f999211dcdb7/
SH256 hash:
8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60
MD5 hash:
bfbbb8571fc1d4dbd8053e5154cda305
SHA1 hash:
1864c0d96ad1ea1c10db82b1613d68e9016e771c
Link:
https://www.unpac.me/results/d633f7af-50cf-4f9f-8f4a-f999211dcdb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198145/

Comments