MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b
SHA3-384 hash: b85c8a1d28b0fff9b97ed8454d8a8d7630915709670c117d8c8adbf003d407c42443e830c1b35565f9eec493fff55117
SHA1 hash: dcd5a2099f2879fe2b52ad2a834b0a6d391ed5d8
MD5 hash: 6020914469ed6fbbd0a01eb11eb35c70
humanhash: video-georgia-bakerloo-skylark
File name:6020914469ed6fbbd0a01eb11eb35c70
Download: download sample
File size:3'997'184 bytes
First seen:2021-06-24 03:49:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash caea2269e89f6a35f79be57ce7bd8282
ssdeep 98304:ZAJeaviUkk0cpOgN/zfjcduvqSs50KgV2mbNG8:ZAoaKUkBcrfjNySs57gX
Threatray 81 similar samples on MalwareBazaar
TLSH FB06227313794019D5F5CC7D9A37BDA2B0F703BB4A42EC38669AAEC235225E4E213953
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bce9a372__bioshock-remast.zip
Verdict:
Malicious activity
Analysis date:
2021-06-24 02:26:38 UTC
Tags:
loader evasion trojan rat redline stealer vidar ficker phishing
Link:
https://app.any.run/tasks/a911113a-efc2-4893-b1e5-8d80c0d19e6d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Fabookie-9797757-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/74355971-60f8-443e-adeb-effdbd7b813e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807123
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected VMProtect packer
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b/
Threat name:
Win32.Trojan.Fabookie
Create hunting rule
Status:
Malicious
First seen:
2021-06-13 11:29:20 UTC
AV detection:
38 of 46 (82.61%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3c167530a131f9dc899b73b9eac971b38e44d41cf291893fde8e575602c2b846
3c2fa1d04daaea31991c29bb4118c3d146a50815a033ea5ae325c3171ebdf713
46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a
47b989b710739b1c88408ca9bf1b4e833cdab68b4c205c5bcbd94bec501c9b80
48643d9ccc694960fb84f505524d0f148a0331a7e2569171ff3999dd60bc7154
7e17e9de1f6643f57b6cda4a921b025a9caf5689728b0af2f653887f41e2c318
b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba7a10dc4686b5b183a33
c944bccd2c79cfde05f0c641c559256ff09fdff944381f9d220dfd14cb35a7a7
efea5e4af45434b028bbb6f0f45e57d74cc37a0d46ba85921f456806d48bc97c
ff4a3e44fcd1cfbbf10ac318aca7559e0c20d0563e11e8a98e21e09e97ca68d3
+ 71 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx vmprotect
Link:
https://tria.ge/reports/210624-e29zkrqbrs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
UPX packed file
VMProtect packed file
Unpacked files
SH256 hash:
7867d3acc1e31ac3277c2205dc4aaedf60330e5682853750f94d223c228be124
MD5 hash:
bcd1a2ae9824254fafecad3583dd0440
SHA1 hash:
039a0ca49ebd5abc16af6ab6dfc98fa371426a46
Link:
https://www.unpac.me/results/3223cebe-f812-436f-b35a-db2bb156329d/
SH256 hash:
b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b
MD5 hash:
6020914469ed6fbbd0a01eb11eb35c70
SHA1 hash:
dcd5a2099f2879fe2b52ad2a834b0a6d391ed5d8
Link:
https://www.unpac.me/results/3223cebe-f812-436f-b35a-db2bb156329d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.49
Link:
https://yomi.yoroi.company/submissions/b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b078ecc8ba8dd8edd846668866738cba3f803a679b089dfd5b4ca4076c81b82b

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1393487/
  
URLhaus
https://urlhaus.abuse.ch/url/1393512/
  
URLhaus
https://urlhaus.abuse.ch/url/1395760/

Comments