MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0bc81d4c214ed3eb779f8d0549362dae2114298eb96ad70af17da0fac80c4b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0bc81d4c214ed3eb779f8d0549362dae2114298eb96ad70af17da0fac80c4b9
SHA3-384 hash: 5a5ae0f198801d0b4898f3105f881679bcf602d16cba4998cf68df8e0d2ea3b6bc4abc2605e596e92ff436b7666045a3
SHA1 hash: b0983e6196acf13d3cf395ece3732f55535017f1
MD5 hash: c245bdd9954b0b63b7b203544bd253f1
humanhash: four-network-michigan-eighteen
File name:tpmbbusinessoperations@cba.com.au See Purchase Contract .exe
Download: download sample
File size:606'128 bytes
First seen:2022-09-05 10:29:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e2a592076b17ef8bfb48b7e03965a3fc (388 x GuLoader, 59 x RemcosRAT, 44 x VIPKeylogger)
ssdeep 6144:epkXGhl8JXCZSNfeJcRIwCuZclsFCUV3+ut08TPUjUjmMCmOGe9/v3ds6YGflSEn:3W8NwSHTCum0CUV+MTmWCfnRYG4O
Threatray 5'548 similar samples on MalwareBazaar
TLSH T175D4AD116A20B623CDE57FB55FB7428633B4BD546B62A2CF36C4761C2E7F293490A348
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 696d696965d4f426
Reporter madjack_red
Tags:exe signed

Code Signing Certificate

Organisation:Langblgernes snittle Storkeredens
Issuer:Langblgernes snittle Storkeredens
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-08T02:32:47Z
Valid to:2025-05-07T02:32:47Z
Serial number: 62aeb05d92bd2bf3
Thumbprint Algorithm:SHA256
Thumbprint: 5a7bdd9498e8bdf594867e6f63393ed133ab20773d593c07bc3c6745458952b9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tpmbbusinessoperations@cba.com.au See Purchase Contract .exe
Verdict:
Malicious activity
Analysis date:
2022-09-05 10:35:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bccdf9e6-52fb-460c-919b-43e584e29989

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/307812/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61682285.27644.23453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a file in the %AppData% subdirectories
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Searching for the Windows task manager window
Launching a process
Creating a process with a hidden window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/36656/overview
Behaviour
MalwareBazaar
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/6315d02c2916aa42940e0dcf/reports/ed37eb67-7429-4625-a623-4e4d5ef261eb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1e2e4213-29d1-4c61-ab2d-ce4282caa9b1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/1065040
Signature
Initial sample is a PE file and has a suspicious name
Mass process execution to delay analysis
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 697567 Sample: tpmbbusinessoperations@cba.... Startdate: 05/09/2022 Architecture: WINDOWS Score: 56 40 Multi AV Scanner detection for submitted file 2->40 42 Initial sample is a PE file and has a suspicious name 2->42 44 Mass process execution to delay analysis 2->44 7 tpmbbusinessoperations@cba.com.au See  Purchase Contract .exe 5 49 2->7         started        process3 file4 32 C:\Users\user\AppData\...\spellfix.dll, PE32+ 7->32 dropped 34 C:\...\System.Net.NetworkInformation.dll, PE32+ 7->34 dropped 36 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 7->36 dropped 38 C:\Users\user\AppData\Local\...\System.dll, PE32 7->38 dropped 10 powershell.exe 7->10         started        12 powershell.exe 7->12         started        14 powershell.exe 7->14         started        16 27 other processes 7->16 process5 process6 18 conhost.exe 10->18         started        20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 16->26         started        28 conhost.exe 16->28         started        30 24 other processes 16->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0bc81d4c214ed3eb779f8d0549362dae2114298eb96ad70af17da0fac80c4b9/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-02 01:57:43 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
6 of 40 (15.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uc6idvgcctwt5n3z7difje3c3lrbcquy5olk24fpc7na7leays4q._file
Verdict:
malicious
Similar samples:
011bc5d6f824739b9ce820b2bc4a439a0d875427b9dc73a32797643276b50880
2f5639932c7a25cf51737748cdc495367a9203e0a963f930f0009935109da190
3d98372c6a97d777c51dc68da43d45b9183ceef3219df340a76aef12f6967555
42568b23642c3e00e11b6cec958a4395b96538b04148b9855b4881392dce66d1
8287f37fbd5697059ed98cd9b6b925c832fe6b229c035354e588e8a8793f9590
8e775324fc69a677394cf6d079d1d45bf53af10acd683bda53e5f86a8a192393
c2c6dbfb6b0c03a22473c7f2f6cbfe0bbf500c795b920ddeb37c27af7de76d93
d4405060b30fab298c2747fc58ec301dfa160be2df3e335a78900fac044a2493
d5a8b6cb7b39d6f71ce67c6c8e17030079f2778087ee12c0ad45bd823f7bd53c
d789a675b16eca7a3d78fffd03d6dfc18a396d6eac4da2472b99700ff1cb09c7
+ 5'538 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220905-mjtrhahhf9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/71c116ce-5d7c-46b6-a527-92d975fc00a0/
SH256 hash:
ad2b9d8cf9ba2ff41dd5f62374e75351a2071df5a12c435a844cc974c532e848
MD5 hash:
9c3dd3633c00f02747013b616ed4c5d0
SHA1 hash:
fbc08d80c4db8d1b65812924e0b0df6a1d6f74ac
Link:
https://www.unpac.me/results/71c116ce-5d7c-46b6-a527-92d975fc00a0/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/71c116ce-5d7c-46b6-a527-92d975fc00a0/
SH256 hash:
a0bc81d4c214ed3eb779f8d0549362dae2114298eb96ad70af17da0fac80c4b9
MD5 hash:
c245bdd9954b0b63b7b203544bd253f1
SHA1 hash:
b0983e6196acf13d3cf395ece3732f55535017f1
Link:
https://www.unpac.me/results/71c116ce-5d7c-46b6-a527-92d975fc00a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.78
Link:
https://yomi.yoroi.company/submissions/a0bc81d4c214ed3eb779f8d0549362dae2114298eb96ad70af17da0fac80c4b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/307812/

Comments