MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e
SHA3-384 hash: d2a3bb5434cd1d00cf1cc1ca2a05b832a3530d1e33ab949d4d8a458fae0b9fff17d213772b1229a264960190b92df73b
SHA1 hash: ef3bea6519980767b272ec5baf79d153ff0c0a7f
MD5 hash: 2a7bd91cd742426a77c9c744b449ee84
humanhash: maryland-saturn-kentucky-oven
File name:new_order_list_1805020230000000000000.exe
Download: download sample
File size:1'246'208 bytes
First seen:2023-05-19 09:24:49 UTC
Last seen:2023-05-20 15:16:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:VLhIlti7/gmmAPanezgj9SliYwxA/t7CzSAx7dVREbmf+XXGG57qY4HW0RDLvql/:VLhhaeKcidG5IMJilsnsp2xp
Threatray 1'443 similar samples on MalwareBazaar
TLSH T1C14538243DFA502AB173EFA98BE475E6DA6FB7733B07645D10A003864723981EDC153A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter lowmal3
Tags:exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
238
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
new_order_list_1805020230000000000000.exe
Verdict:
Malicious activity
Analysis date:
2023-05-19 09:26:43 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4731103c-c1ef-4e2d-ade8-19c77a03c6fa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Barys.432306.14627.19912.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Changing a file
Creating a file
Using the Windows Management Instrumentation requests
Blocking the User Account Control
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin
Link:
https://www.filescan.io/uploads/646740700b0e03147aaa0a63/reports/77b1c8bd-4457-4019-bd57-cd6116610249/overview
Verdict:
Malicious
Labled as:
Barys.Generic
Link:
https://www.hybrid-analysis.com/sample/ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/21a9946b-470e-43bd-a373-0a6925d8d024
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1237077
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Disables UAC (registry)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 870073 Sample: new_order_list_180502023000... Startdate: 19/05/2023 Architecture: WINDOWS Score: 100 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 8 other signatures 2->29 7 new_order_list_1805020230000000000000.exe 1 4 2->7         started        process3 file4 21 new_order_list_180...00000000000.exe.log, CSV 7->21 dropped 31 Adds a directory exclusion to Windows Defender 7->31 33 Disables UAC (registry) 7->33 11 powershell.exe 19 7->11         started        13 CasPol.exe 7->13         started        15 ServiceModelReg.exe 7->15         started        17 29 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-18 16:53:32 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmelhmp6b34s2dyrfkznquydzz6lcly4a3g2pyuiyqb6nwoggexa._file
Verdict:
malicious
Similar samples:
0691d99c393b0ae398a1096ddfb0179bacc2818f3b1d9a6c620d094fd09f8bc8
2779b729bdaa3807f8cb81e680a8497a1694345b5214db7648e7624f545991b3
6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778
65a2b3cf112d50e941051116e68b736239d521bf7611e143ae1c83f93716f6f5
96af204d2dfb74c2fba800c451c04b6c71443be7bd68fadcf718cfda4cfb20e5
9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae
9d31bb5aa1c796ad53caab202d5fe30d09157bf81ed3cc93ea1225e78aff0624
b075b40cecd6da99c0d8793f49b4f672abbf0e688a818f94e746170ef5fb6a89
c1180c7aed504a5021c9ab3e47e7a0c58cb1de163ab360cd74c6561a3f51ded8
d558591f6cfe858a8bbd58b18cf2e3e5e5a5f2c9e0b56913dfd1a0094d1bf6b2
+ 1'433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/230519-ldly2ada92/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Checks computer location settings
Uses the VBS compiler for execution
Windows security modification
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e
MD5 hash:
2a7bd91cd742426a77c9c744b449ee84
SHA1 hash:
ef3bea6519980767b272ec5baf79d153ff0c0a7f
Link:
https://www.unpac.me/results/5e9085a3-5857-4b52-ade4-48a24982e8cb/
Malware family:
XLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ab08b3b1fe0e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/ab08b3b1fe0ef92d0f112ab2d85303ce7cb12f1c06cda7e288c403e6d9c6312e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments