MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b
SHA3-384 hash: bf13d98b0e851f633045c95b83089a7b3fa333bab2c3fac72cdd504f6dc20538f1e51596a23cbb840013e7a7cb9b6d87
SHA1 hash: 299e0fbb67da7da51f9fcfa28d7c73dc33e8ffe7
MD5 hash: 7373ecb5148fc6a24cc99514acdd3c99
humanhash: mockingbird-diet-finch-violet
File name:4iBpiQUavIMb.exe
Download: download sample
File size:1'516'960 bytes
First seen:2022-11-26 09:22:24 UTC
Last seen:2023-08-27 08:50:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 15e5ac4e63af04f3034d99698484adf1 (2 x EternityStealer, 1 x RedLineStealer)
ssdeep 24576:EjspFoskGvYyWUqAukLEA9iddmyN/308Evw8jt7UJ32jNKJnLmO9htW9V8Z8:6hqYPUzvLAdP308qCkWtyV8Z8
Threatray 8'021 similar samples on MalwareBazaar
TLSH T15B65C003DB56BB07E3E6A8B73AE6BDD15713AD3B4CCA0439788176384779091F5A2348
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 8e176159595b378e
Reporter JAMESWT_WT
Tags:195-201-23-210 clineti2022 exe extra signed srv-fattureincloud-de

Code Signing Certificate

Organisation:woodbowl.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-11-15T17:45:44Z
Valid to:2023-02-13T17:45:43Z
Serial number: 04c9a34941d1a2fbae4a4a1ec5df8c927545
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: c88629616622992ab492843cb57f58367c6ab63b0d66010685b23f96d12c8b41
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
5
# of downloads :
177
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4iBpiQUavIMb.exe
Verdict:
Malicious activity
Analysis date:
2022-11-26 09:25:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e75b4feb-58c5-43da-820e-7dc954c3841e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338730/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.16273.12333.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
DNS request
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
babar greyware overlay packed
Link:
https://www.filescan.io/uploads/6381daf7536377388865d527/reports/efedd46b-e6f7-4f03-bece-218114c58e79/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5402f0c4-4c1d-407e-8891-1d059195b71e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1121542
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Self deletion via cmd or bat file
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 754259 Sample: 4iBpiQUavIMb.exe Startdate: 26/11/2022 Architecture: WINDOWS Score: 76 59 Multi AV Scanner detection for submitted file 2->59 61 Machine Learning detection for sample 2->61 7 4iBpiQUavIMb.exe 10 2->7         started        12 Tat tow roc koyor manax wodebib haninew dolixo.exe 12 2->12         started        process3 dnsIp4 41 okopzdrp7mf2igx.vnq6wpt3kotk6pbocs3 7->41 37 Tat tow roc koyor ... haninew dolixo.exe, PE32 7->37 dropped 39 Tat tow roc koyor ...exe:Zone.Identifier, ASCII 7->39 dropped 63 Self deletion via cmd or bat file 7->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 7->65 14 Tat tow roc koyor manax wodebib haninew dolixo.exe 15 7->14         started        18 cmd.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        43 192.168.2.1 unknown unknown 12->43 45 www.imarket-eg.com 12->45 47 2 other IPs or domains 12->47 67 Writes to foreign memory regions 12->67 69 Allocates memory in foreign processes 12->69 71 Injects a PE file into a foreign processes 12->71 22 ngentask.exe 12->22         started        24 ngentask.exe 12->24         started        file5 signatures6 process7 dnsIp8 53 saeghaiquu.fun 5.8.47.52, 443, 49704 PINDC-ASRU Russian Federation 14->53 55 imarket-eg.com 160.153.50.70, 443, 49703, 49706 AS-26496-GO-DADDY-COM-LLCUS United States 14->55 57 2 other IPs or domains 14->57 73 Writes to foreign memory regions 14->73 75 Allocates memory in foreign processes 14->75 77 Injects a PE file into a foreign processes 14->77 26 ngentask.exe 2 14->26         started        79 Uses ping.exe to check the status of other devices and networks 18->79 29 PING.EXE 1 18->29         started        31 conhost.exe 18->31         started        33 chcp.com 1 18->33         started        35 conhost.exe 20->35         started        signatures9 process10 dnsIp11 49 195.201.23.210, 49701, 49702, 49705 HETZNER-ASDE Germany 26->49 51 127.0.0.1 unknown unknown 29->51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-18 12:22:19 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=to6s7reea562gknogzmbejqu7ipz7hp6ty7l7omcu2otf7cvuzvq._file
Verdict:
malicious
Similar samples:
11dd00b072a09a1fbb102e92ed096edb02f0dac02a88a690666873d4bcd2c515
23c021ec87c8743ef23796c3bfe371298388b4ef72fc6249b29858dc50ece722
3a6a8344c456313ab52c214caf2c86beae755e1f4c822699647b243e3d0bced5
499fb85e548a134abdf18b6a9d149b9c4f2bf9b0f534dd4c86e600180fb19bf9
4d5d803e91d5a07b32a19a06a8f722d3d4aead462bb2cab23470f2c2ad79b71a
5f633ef17fcbc3f2f34548cbf4af305f64873fefa7af6d3bcbde2b070b31f8a3
bb2ab6b864ce12a5df5b90ff291d5f1ef8fe2de529d986cf99ccc6272dd1e576
ccaea8ce020819c5c2c55cf1d77082bf9a4525f5fbf892f16d906d527d9c5726
cd3932d4db9fcac1b45dec936ab8e2b4e0fa3f5fc58abf418887962931000807
f0711e7499ee1ad5e52c7e11db0b6881eab2445f5f50e5fc90efba03a9bf299b
+ 8'011 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221126-lcf2dsbb4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c952a37c-c74a-464b-9f62-7fb0b90150e0
Unpacked files
SH256 hash:
a97247d9a2bea2478422006881886acc935b693bca3980b25b40abab596afc41
MD5 hash:
a6a2cc5c688a21af175145a285718e11
SHA1 hash:
b0dea5a0f1c1f817dfc83cd6d19e17bcfa9c4340
Link:
https://www.unpac.me/results/a744faac-ea21-4556-9d1a-6441772fb138/
SH256 hash:
9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b
MD5 hash:
7373ecb5148fc6a24cc99514acdd3c99
SHA1 hash:
299e0fbb67da7da51f9fcfa28d7c73dc33e8ffe7
Link:
https://www.unpac.me/results/a744faac-ea21-4556-9d1a-6441772fb138/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9bbd2fc48407/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 9bbd2fc484077da329ae3658122614fa1f9f9dfe9e3ebfb982a69d32fc55a66b

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/338730/
  
URLhaus
https://urlhaus.abuse.ch/url/2433688/
  
Delivery method
Distributed via web download

Comments