MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df
SHA3-384 hash: 121f9699317ea443f370c396e0444425028a598f64d8eab00d6f5aa50f1b9b4885a12236b2999c3c27da98cbedac11f7
SHA1 hash: 5d98b03d1bbdc43e7854b78f93de8eba4eab3023
MD5 hash: 7f75ddef2311c95b4d8033e960360861
humanhash: eight-six-juliet-zulu
File name:7f75ddef2311c95b4d8033e960360861.exe
Download: download sample
File size:5'859'968 bytes
First seen:2021-11-23 20:09:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:cZaZZylqFE40oo4vktS6mQ8/9ECNcz66vj5lIuEfdMWotwjXi5+tLc:cUYq27oGtS6mR/mCmj5lg6htwjXicW
Threatray 7'969 similar samples on MalwareBazaar
TLSH T1F746330226C5C22BF5A74CF8C928735351B8FC613863FB261A546D1D6372C21DA6B7EB
File icon (PE):PE icon
dhash icon e4f4a4c4c8ccc2e0 (2 x DanaBot)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
209
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7f75ddef2311c95b4d8033e960360861.exe
Verdict:
No threats detected
Analysis date:
2021-11-23 20:44:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bcc2a1d4-d902-4745-956f-9c244e8a7327

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus
Link:
https://www.filescan.io/uploads/619d4a9cb71ceed4152d7039/reports/e3746b1f-a406-4ac4-8d27-0dc7ef1c1dd7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/76b67988-f727-428e-9735-14e890ff3d57
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/895047
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527520 Sample: vAsfZhw32P.exe Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 7 other signatures 2->47 7 vAsfZhw32P.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\caribivp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\bauera.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 caribivp.exe 3 18 7->10         started        15 bauera.exe 7 7->15         started        process5 dnsIp6 37 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 10->37 39 192.168.2.1 unknown unknown 10->39 31 C:\Users\user\AppData\...\urmoftmfpkh.vbs, ASCII 10->31 dropped 59 Antivirus detection for dropped file 10->59 61 Multi AV Scanner detection for dropped file 10->61 63 Query firmware table information (likely to detect VMs) 10->63 65 May check the online IP address of the machine 10->65 17 wscript.exe 12 10->17         started        33 C:\Users\user\AppData\...\DpEditor.exe, PE32 15->33 dropped 67 Machine Learning detection for dropped file 15->67 69 Hides threads from debuggers 15->69 71 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->71 21 DpEditor.exe 15->21         started        file7 signatures8 process9 dnsIp10 35 iplogger.org 5.9.162.45, 443, 49746 HETZNER-ASDE Germany 17->35 49 System process connects to network (likely due to code injection or exploit) 17->49 51 May check the online IP address of the machine 17->51 53 Query firmware table information (likely to detect VMs) 21->53 55 Hides threads from debuggers 21->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->57 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 20:10:28 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
03555d8ea739df664c3eb88e62a30e7c590233eff39c2dfe7f72bd717eb3d716
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
41c2bbd61ad11d1fd1e1c8771edd92d1ab5df475c65764c2c5153f6afef84894
79eb109f62c883549a6a2b1dbe9428efcc66ca8dcf57a91b87f88d08499b6369
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
a74270fed65ae7392cf3a7e1b808c150bcafede137f3cf005c0440dbea7c3e4d
d3184ceae376a789ccd61e767da3f21cacd72dfc7162a5e1a9569c7244d0bf9a
d7b4b6a43396314d34f68e01bb1dd58a673c97519318f6dd67ee46acace6191e
+ 7'959 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211123-yxqgsaeda2/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
217cf2939cbd8fb4ffca415b42335763e8fb1acbd8781c4516514be51b754ce4
MD5 hash:
c969b2b2d51f8511df4aa92ebaec3768
SHA1 hash:
ae74e753f8978d7ca04f9adcc003bd56c796f037
Link:
https://www.unpac.me/results/49baaa4d-c72e-45a6-b719-2d99c5172d34/
SH256 hash:
63b3f639bc508496be68a31fafadcd9cda4b67d919b6f52ac2e7bae23a68d9cc
MD5 hash:
5db244f237d3972cfe5ef257ebfe27e5
SHA1 hash:
a9970e27739ae6a5d4424265b58afd1b459c6dd8
Link:
https://www.unpac.me/results/49baaa4d-c72e-45a6-b719-2d99c5172d34/
SH256 hash:
9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df
MD5 hash:
7f75ddef2311c95b4d8033e960360861
SHA1 hash:
5d98b03d1bbdc43e7854b78f93de8eba4eab3023
Link:
https://www.unpac.me/results/49baaa4d-c72e-45a6-b719-2d99c5172d34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9689d6b40728caa3c8f3331726f53034e6f013630ad0f828858a444d88dd73df

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/208814/
  
URLhaus
https://urlhaus.abuse.ch/url/1808519/
  
Delivery method
Distributed via web download

Comments