MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b
SHA3-384 hash: aa6bdca345b14a64387cce58de0599e946151c48ba45a6eeb86ffdf94506feddf70be478209f4ec886ec134176ebbca2
SHA1 hash: 6ec66f81756bfe1fe0d4f5ab3ebcb703201809dc
MD5 hash: 0fa89cadcd2aa678097616b121d96db4
humanhash: pizza-november-winter-nebraska
File name:0fa89cadcd2aa678097616b121d96db4.exe
Download: download sample
File size:637'440 bytes
First seen:2021-08-18 14:16:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d9efc27a44fcb7cf802b6cba10d2531 (4 x RemcosRAT, 2 x Formbook)
ssdeep 12288:TKM0u78KU0wzWwGj6ZXwz7ZucohO55Pm6:TQeU04W8gz781U
Threatray 450 similar samples on MalwareBazaar
TLSH T1B2D46C17F1A148BBE1731FBC1C4E92AD553ABDF03F64A846BAD41C856E7EAD03528243
dhash icon 88c7ce3cbddc2f31 (24 x RemcosRAT, 12 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://gordonas.ac.ug/cc.exe
Verdict:
Malicious activity
Analysis date:
2021-08-18 07:23:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aa510ff2-fa0b-4179-9ab0-685b05d4958e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180352/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.15878.4337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Dbatloader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/41f34ebb-e1fd-4145-a150-e3ea46cf7064
Result
Threat name:
Clipboard Hijacker
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/835122
Signature
Contains functionality to compare user and computer (likely to detect sandboxes)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467562 Sample: bHPI6BgyZD.exe Startdate: 18/08/2021 Architecture: WINDOWS Score: 96 62 Multi AV Scanner detection for submitted file 2->62 64 Yara detected Clipboard Hijacker 2->64 66 Machine Learning detection for sample 2->66 68 Sigma detected: Execution from Suspicious Folder 2->68 8 bHPI6BgyZD.exe 1 22 2->8         started        13 sqlcmd.exe 13 2->13         started        15 Xyjmwrq.exe 13 2->15         started        17 2 other processes 2->17 process3 dnsIp4 58 cdn.discordapp.com 162.159.133.233, 443, 49696, 49697 CLOUDFLARENETUS United States 8->58 56 C:\Users\Public\Libraries\...\Xyjmwrq.exe, PE32 8->56 dropped 70 Detected unpacking (changes PE section rights) 8->70 72 Uses schtasks.exe or at.exe to add and modify task schedules 8->72 74 Injects a PE file into a foreign processes 8->74 76 Contains functionality to compare user and computer (likely to detect sandboxes) 8->76 19 bHPI6BgyZD.exe 2 8->19         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        78 Multi AV Scanner detection for dropped file 13->78 80 Machine Learning detection for dropped file 13->80 26 sqlcmd.exe 13->26         started        60 162.159.135.233, 443, 49702 CLOUDFLARENETUS United States 15->60 28 Xyjmwrq.exe 15->28         started        30 Xyjmwrq.exe 17->30         started        file5 signatures6 process7 file8 52 C:\Users\user\AppData\Roaming\...\sqlcmd.exe, PE32 19->52 dropped 54 C:\Users\user\...\sqlcmd.exe:Zone.Identifier, ASCII 19->54 dropped 32 schtasks.exe 1 19->32         started        34 reg.exe 1 22->34         started        36 conhost.exe 22->36         started        38 cmd.exe 1 24->38         started        40 conhost.exe 24->40         started        42 schtasks.exe 1 26->42         started        process9 process10 44 conhost.exe 32->44         started        46 conhost.exe 34->46         started        48 conhost.exe 38->48         started        50 conhost.exe 42->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 11:14:28 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
10309a1863cc96d5bb112ca98ae7da03734079c1a8cef1f6b900dcd795e69974
7f3f82532b326a3369f9c15b84620d40b835178cc46fab2dec9c5f2d2220099c
91dfaa2872553058fa716f17748a56e8e4c678c004a72f85e05c7b4949a6c789
9a8c41228b0c201d956ec0c6612e978438c403759d6e1fa0b33e63c3375e3c56
ce294b3c9e58d2d6394e2aa447ad3b586e0e23cdd22bd050a362bdd57a3e3fe9
d40371030031fc84f0cd14b20865ab1a243b4fb45c1afb4075067a97591bccee
d69cdc20da26cfa4b9404fb0477866d243c2e36c0e871d169cd381b358b3c95b
f1751a576879ffed0fed1eee73ab099833ef0c019c6307cab9919275927ba6b6
fad40e1841789cfbef3c9f09b4e557b928597506cd8b93d8eae51cef2ba3cf3f
+ 440 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210818-b8c26ajtm6/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
62917dddaf48b6262f784446559dcd810d1c77dc34c618c0d068ff72eff0f729
MD5 hash:
d0e49ec647875a726c6ae4f89c7e2255
SHA1 hash:
4ad18fc82d3f88be00f96e79f632a26fddc4b1fd
Link:
https://www.unpac.me/results/5733a061-b18f-4968-914b-890f195b635f/
SH256 hash:
795b2b5d6668147d7924ac96f90741ddc2a2b5003f455fb842b613a286fbf8fc
MD5 hash:
53011b69a7231aea23d66805a681144b
SHA1 hash:
e3d0d157e763c865e79ccc5bedc2fd5fd90413f7
Link:
https://www.unpac.me/results/5733a061-b18f-4968-914b-890f195b635f/
SH256 hash:
b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b
MD5 hash:
0fa89cadcd2aa678097616b121d96db4
SHA1 hash:
6ec66f81756bfe1fe0d4f5ab3ebcb703201809dc
Link:
https://www.unpac.me/results/5733a061-b18f-4968-914b-890f195b635f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b1e57f0d0d25c37d9947d74a0f8d7826f2b93bbe4568d2c63b411eeac1c5362b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1323338/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/180352/

Comments