MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d
SHA3-384 hash: 175b428635e36d78503d38155fe680d4eb956c9db67ef096495b492d25f74b61939e2784fa655841246ed00c279efa0a
SHA1 hash: e442c3f44b5be7ef7ddb6a00babddbe1e0418238
MD5 hash: b5f92307904d7ff7b239d7f3be88cbd0
humanhash: glucose-oven-hawaii-football
File name:b5f92307904d7ff7b239d7f3be88cbd0
Download: download sample
File size:3'228'169 bytes
First seen:2021-11-23 10:14:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 49152:q1ZYroflYi0UQUQzVmPN/FVWkGLzoyEaLzZFMruRFU5AFHZgy7lIJjMe4sMGCrx:qZpljjuVmxFsLzzEQFMr6HGvjfMLx
Threatray 7'372 similar samples on MalwareBazaar
TLSH T1FFE53352B84D88A3F3AE47F4526C66320916FD273A30C155A79C7EAD627205BC0267FF
File icon (PE):PE icon
dhash icon e4f4a4c4c8ccc2e0 (2 x DanaBot)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7387f1ae36b2649856c5077edb63e70.exe
Verdict:
Malicious activity
Analysis date:
2021-11-23 09:46:19 UTC
Tags:
stealer trojan loader
Link:
https://app.any.run/tasks/aa2243a3-a328-4f90-9ec3-5ba26fede4e2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Gathering data
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for the window
Searching for analyzing tools
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/619cbf2af36138de3f36dccb/reports/f8eda1d8-9122-4c05-9c17-ca9efc22e9ea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b128a634-7122-40d8-87ce-9439b1ec95fc
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894622
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527101 Sample: RtpLhZOyaf Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for domain / URL 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 6 other signatures 2->45 7 RtpLhZOyaf.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\caribivp.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\bauera.exe, MS-DOS 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 caribivp.exe 3 18 7->10         started        15 bauera.exe 7 7->15         started        process5 dnsIp6 37 ip-api.com 208.95.112.1, 49754, 80 TUT-ASUS United States 10->37 31 C:\Users\user\AppData\Local\...\mrafmatio.vbs, ASCII 10->31 dropped 51 Antivirus detection for dropped file 10->51 53 Multi AV Scanner detection for dropped file 10->53 55 Query firmware table information (likely to detect VMs) 10->55 59 4 other signatures 10->59 17 wscript.exe 12 10->17         started        33 C:\Users\user\AppData\...\DpEditor.exe, MS-DOS 15->33 dropped 57 Machine Learning detection for dropped file 15->57 21 DpEditor.exe 15->21         started        file7 signatures8 process9 dnsIp10 35 iplogger.org 5.9.162.45, 443, 49757 HETZNER-ASDE Germany 17->35 47 System process connects to network (likely due to code injection or exploit) 17->47 49 May check the online IP address of the machine 17->49 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d/
Threat name:
Win32.Trojan.Sleltasos
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 10:15:21 UTC
File Type:
PE (Exe)
Extracted files:
13
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
59193209add2aa657db4343d23ddc12453746a3cdf63117db522f3976bd88cc0
6319b895e7a61947bfa702bf9f092d585f76a983666bbceb8d6dcbabe50e330d
6f4ac0da343abb9dd25d7a27c302a6ab29ed9e7c49123b3c8200138abd3eaea5
879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7
879fccdf9b4b09063a6dbf1ac2cc381a1ebcacf6e38f5b8d4889785a4ccde22a
bf45b415add34c4a9cfd28e2f0060a5771b452a290d4807cc66e5e0355b014c0
c3315d1c3860a9a019c4693680a9d4522a81f3cc804aef5fbb760048401a44af
df7841fad13bb90a108a0861c92c565ad754528e684600ad07011cd4e83f1a63
+ 7'362 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211123-l98snsche2/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
269f13d1968ac4642ca532be86a83bf1b84f566fce8495fe1f99fcb0e149077c
MD5 hash:
ecd05c1f8b455eec1f44b5f19a973192
SHA1 hash:
a6932d5d5ba1fc748e428ac08ca90f348839ae45
Link:
https://www.unpac.me/results/1533d985-3cc2-4e11-8d35-dbefaa4a1b34/
SH256 hash:
78bccfea7d966a0f931fc7082d45c280af8001157a772d093e5e3ebe03b5ef92
MD5 hash:
839a15f29f121d35fc6e307c0f209f04
SHA1 hash:
68ea7f9ea4b8c51354421d45aea2e1131e417fa0
Link:
https://www.unpac.me/results/1533d985-3cc2-4e11-8d35-dbefaa4a1b34/
SH256 hash:
e74d93c430def33f0fee2d3d7e18f42a868346d5376d8bad9851ce88568a773f
MD5 hash:
11da49121c2b38c28ea6e058e72ea9e5
SHA1 hash:
793a96a98ea14035919d23926ef31d1f71b22e05
Link:
https://www.unpac.me/results/1533d985-3cc2-4e11-8d35-dbefaa4a1b34/
SH256 hash:
a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d
MD5 hash:
b5f92307904d7ff7b239d7f3be88cbd0
SHA1 hash:
e442c3f44b5be7ef7ddb6a00babddbe1e0418238
Link:
https://www.unpac.me/results/1533d985-3cc2-4e11-8d35-dbefaa4a1b34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a16870457b27dc28fbe98cf395c127b7884366d9cd244583c226a36e76dee72d

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208642/
  
URLhaus
https://urlhaus.abuse.ch/url/1808519/

Comments


Avatar
zbet commented on 2021-11-23 10:14:27 UTC

url : hxxp://mywmis14.top/downfiles/kumasi.exe