MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18
SHA3-384 hash: 25b321ddf5b74a04e91096c8853d60a3cdb284e129c43010c7551380de46fed3d3bc78188814477e7db5c73e525303e8
SHA1 hash: 98990d088d28d6ffa65b60fbfcbdb7973d0bb925
MD5 hash: 39e3bba8eee5758e4fb04b74851433aa
humanhash: coffee-asparagus-ack-robin
File name:svchost.exe
Download: download sample
File size:34'475'187 bytes
First seen:2025-02-01 18:09:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (48 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 786432:D9YiI0pZ2YwUlJTb0vt3orMxITX1blbAWQiwQt85bd+PtFYajYS:D9jpZ2mlhb6ghbvg8tFYaj/
TLSH T15577330457A418EBD5FB5A397BAFD568B2F2B84A2792CECB0B7C53271A4B5D00C35E01
TrID 46.3% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
34.6% (.EXE) InstallShield setup (43053/19/16)
8.4% (.EXE) Win64 Executable (generic) (10522/11/4)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.6% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter aachum
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
465
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
svchost.exe
Verdict:
Malicious activity
Analysis date:
2025-02-01 18:19:15 UTC
Tags:
python pyinstaller ims-api generic rust
Link:
https://app.any.run/tasks/306a0d1e-8b94-4ef4-a48b-d6008324f89d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679e6359416a81ccc3c4e88f
Tags:
extens virus sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Сreating synchronization primitives
Connection attempt
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
expand lolbin microsoft_visual_cc overlay packed packer_detected
Link:
https://www.filescan.io/uploads/679e6356503cb0637f9bb830/reports/6b5911ba-5c9f-4a5a-b208-ba08bb348c22/overview
Verdict:
Malicious
Labled as:
Cerbu.Generic
Link:
https://www.hybrid-analysis.com/sample/b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1604606
Signature
Antivirus / Scanner detection for submitted sample
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1604606 Sample: svchost.exe Startdate: 01/02/2025 Architecture: WINDOWS Score: 76 102 Antivirus / Scanner detection for submitted sample 2->102 104 Multi AV Scanner detection for submitted file 2->104 106 Sigma detected: System File Execution Location Anomaly 2->106 108 Joe Sandbox ML detected suspicious sample 2->108 10 svchost.exe 277 2->10         started        14 svchost.exe 277 2->14         started        process3 file4 78 C:\Users\...\backend_c.cp310-win_amd64.pyd, PE32+ 10->78 dropped 80 C:\Users\user\...\_cffi.cp310-win_amd64.pyd, PE32+ 10->80 dropped 82 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 10->82 dropped 90 124 other files (none is malicious) 10->90 dropped 112 Uses cmd line tools excessively to alter registry or file data 10->112 16 svchost.exe 1 10->16         started        84 C:\Users\...\backend_c.cp310-win_amd64.pyd, PE32+ 14->84 dropped 86 C:\Users\user\...\_cffi.cp310-win_amd64.pyd, PE32+ 14->86 dropped 88 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 14->88 dropped 92 124 other files (none is malicious) 14->92 dropped 20 svchost.exe 14->20         started        signatures5 process6 dnsIp7 94 149.154.167.51, 443, 49707, 49708 TELEGRAMRU United Kingdom 16->94 96 127.0.0.1 unknown unknown 16->96 98 System process connects to network (likely due to code injection or exploit) 16->98 100 Uses cmd line tools excessively to alter registry or file data 16->100 22 svchost.exe 16->22         started        25 cmd.exe 1 16->25         started        27 cmd.exe 1 16->27         started        29 reg.exe 1 16->29         started        31 cmd.exe 20->31         started        33 cmd.exe 20->33         started        35 reg.exe 20->35         started        signatures8 process9 file10 70 C:\Users\...\backend_c.cp310-win_amd64.pyd, PE32+ 22->70 dropped 72 C:\Users\user\...\_cffi.cp310-win_amd64.pyd, PE32+ 22->72 dropped 74 C:\Users\...\_quoting_c.cp310-win_amd64.pyd, PE32+ 22->74 dropped 76 124 other files (none is malicious) 22->76 dropped 37 svchost.exe 22->37         started        40 WMIC.exe 1 25->40         started        42 conhost.exe 25->42         started        44 conhost.exe 27->44         started        46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 WMIC.exe 31->50         started        52 conhost.exe 33->52         started        54 conhost.exe 35->54         started        process11 signatures12 110 Uses cmd line tools excessively to alter registry or file data 37->110 56 cmd.exe 37->56         started        58 cmd.exe 37->58         started        60 reg.exe 37->60         started        process13 process14 62 conhost.exe 56->62         started        64 WMIC.exe 56->64         started        66 conhost.exe 58->66         started        68 conhost.exe 60->68         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18
Gathering data
Threat name:
Win64.Trojan.Cerbu
Create hunting rule
Status:
Malicious
First seen:
2025-01-18 02:40:16 UTC
File Type:
PE+ (Exe)
Extracted files:
2207
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=whsgpbllqhziqjtttzgukk4ampa2z6fftle45lpkiqmifscbdyma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/250201-wrlwastpgv/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies registry key
Suspicious use of WriteProcessMemory
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cb232962-9b1a-42f1-a0a7-dca40c7939b0
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

CoinMiner

Executable exe b84d06eb8b490a54bdd252a58d25eb54f5580018ecbf3066e0cd5d03ef284c96

CoinMiner

Executable exe 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560

Executable exe b1e467856b81f28826739e4d452b8063c1acf8a59ac9ceadea441882c8411e18

(this sample)

  
Link
https://tria.ge/250201-wlbs5swjeq
  
Dropped by
SHA256 765e63e1c60120f2b2c9f249526049a5312567ab219ba1e22881ebb65c0ce560
  
Dropped by
MD5 f73648b12faad92f981744f7ad02c06e

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments