MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9115b821f251889ec675158dc52d6b8c17278107b1ed4c2c1b1adbbe9809cb60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9115b821f251889ec675158dc52d6b8c17278107b1ed4c2c1b1adbbe9809cb60
SHA3-384 hash: 3273d7f5711ab112904ba71a0dd84019c6224f9a4bb7aa7c7bde731863a02db2b03d5d49f477d8cbe743f75451a675df
SHA1 hash: ea5c0b5d5aa0df473348559b309b5d936c9f5ef2
MD5 hash: 8359c8810d225dda7f6de36f2a7bed5e
humanhash: oscar-ceiling-mike-hot
File name:SecuriteInfo.com.BackDoor.Bladabindi.13678.4541.22457
Download: download sample
File size:30'208 bytes
First seen:2022-07-26 17:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 384:5f3Cz1fCTlNqwZeY7AT4aFckxrLRwc7YHIqiY3w3O:Ez1+qGxApckpIPiY3w+
Threatray 731 similar samples on MalwareBazaar
TLSH T1A1D22D2712DEBEE6C8B81670377343D1D76DDE049403CA2E59D4B52A8A7E2437A923C9
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 414545c0d4c05503 (37 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
351
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/294446/
Detection(s):
SecuriteInfo.com.BackDoor.Bladabindi.13678.4541.22457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/62e029ce7dd0cb902f01ac24/reports/b38f08ef-7def-4559-ae20-e8979a830b2e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1f436a67-a255-4843-b36f-8dbf1afef05e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1041337
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Uses Windows timers to delay execution
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9115b821f251889ec675158dc52d6b8c17278107b1ed4c2c1b1adbbe9809cb60/
Threat name:
ByteCode-MSIL.Backdoor.Ratenjay
Create hunting rule
Status:
Malicious
First seen:
2022-07-26 17:17:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sek3qipskgej5rtvcwg4klllrqlspaihwhwuyla3dln35gajznqa._file
Verdict:
suspicious
Similar samples:
0e49ced6331da16deb263cc7cbfdc8a6a3433a71f5c67cb64c7980a18faec884
14eb1e82e99353e4e4fb35444b82e3af528ea1193e921b14f8ebdba6e457f0ef
1d4ab61e893996a780e9e8fd748789acc6c381777083584f0129414a0ccf434e
35356ffd06abd1c12e45c9ff69e768185117ee4a145c98f8fae00340bddbb5e9
6240727df14fda7a67dc81c2bdfab6f28e468377b918e4293fc6a130ad8d2a81
c30e917e3e8902bffe01a166f0665885e41d5e2ccf74626e025b97dc0c5bce7e
d2d2b104754e2a49b15b4cbd675ddf2919d1820c58f7e495b9d786bb43785141
fbfc1b7c4ed342911b2f3faa8d70e33436210620cb34296267283ab82f612068
fc08885434f9b2677ca7076bc2651218335dfb40141fa7fe49558bd3c7eb4e5a
ff06c54cab0bdcb0cea8c47f5ef001b2fc917ba857a0d14308ab7211408ba608
+ 721 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220726-we54eafdb8/
Unpacked files
SH256 hash:
9115b821f251889ec675158dc52d6b8c17278107b1ed4c2c1b1adbbe9809cb60
MD5 hash:
8359c8810d225dda7f6de36f2a7bed5e
SHA1 hash:
ea5c0b5d5aa0df473348559b309b5d936c9f5ef2
Link:
https://www.unpac.me/results/eab24ee2-fc74-441a-a2eb-76cc7d492bf4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9115b821f251889ec675158dc52d6b8c17278107b1ed4c2c1b1adbbe9809cb60

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2261526/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/294446/

Comments