MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments 1

SHA256 hash:	b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4
SHA3-384 hash:	e9bc2552b1e48492000899debba069c4d59fcc399637a83853f511f52651ac0225b63c884360439a17260cedfabf0962
SHA1 hash:	46b0e1a5a165b2c020dd3e76ad22c7f354fc05c5
MD5 hash:	eabbce0d5148880b62cb999253c48bae
humanhash:	michigan-kansas-mexico-fanta
File name:	eabbce0d5148880b62cb999253c48bae
Download:	download sample
File size:	4'222'464 bytes
First seen:	2022-06-02 18:02:07 UTC
Last seen:	2022-06-02 18:37:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep	98304:jqap8W5bzD18m83HQ75ACwvhEkQRQmnGdHa1:jqalg3HQuCwJJQi+G
Threatray	156 similar samples on MalwareBazaar
TLSH	T1E01633EE720EBB83BC8AE47091125A6CD7B967721CA17D0853F544B2D4889E1143B9FF
TrID	64.7% (.EXE) UPX compressed Win64 Executable (70117/5/12) 25.0% (.EXE) UPX compressed Win32 Executable (27066/9/6) 4.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.8% (.EXE) OS/2 Executable (generic) (2029/13) 1.8% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	zbetcheckin
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

382

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

eabbce0d5148880b62cb999253c48bae

Verdict:

No threats detected

Analysis date:

2022-06-02 18:04:13 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fcdabf20-f1cf-4661-9719-3c6944401393

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/276375/

Detection(s):

SecuriteInfo.com.Trojan.MulDrop20.8172.28004.31667.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Changing a file

Creating a file in the %AppData% subdirectories

Running batch commands

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug packed trickbot

Link:

https://www.filescan.io/uploads/6298fb72d9bdf2866781a426/reports/b8e84a88-0837-4760-a2d5-d00a08f9c46b/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/25535c79-81cc-4b19-abae-bfffcb1a8a42

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1005924

Signature

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4/

Threat name:

Win64.Trojan.TrickBot

Status:

Malicious

First seen:

2022-06-01 12:45:23 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wh5d3mrql4dsklrdbqwdudvf2nm5evpibze56jtyfyud6qhjp3ka._file

Verdict:

malicious

53a7a867dfacb28aad8efcd8ffb41256a3f4b717fdf50251da0de4b4b4621a1c

84858e95dcf7fe3cb43f819f8b496ecc1b44e6f4ea938fb00b0b5c117e9b4075

b3bed1dd25d3031b2d951cab09c87524e022c3cae334e627e26b68e7fb7b9770

c1eae8655ba2f8afc1fdba12f836ad4ba4d26057109b8f70519aba2b88c9b92b

c3e1e5ecdab6126e17bf88fbfee1cd7141d0cbf8f80d939632b479448aec681a

d0733e6d63cc945305a0cd7aa12b86b75d0c6840f7d9ec853aca379c18c22528

e2f406a64288fc869e73312835ddeaab6b70ceb8d02661eff96a7a98dc5f261a

e381d2ff39b4396f61397eb75ab10ba5002c3ae50c4062aee82d7ea444e59917

e69716b0ea13b412bf6e3ac4f9a0bca987d99788f9d20cedd8fcacee0a7c3f38

+ 146 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

spyware stealer upx

Link:

https://tria.ge/reports/220602-wm15eshef3/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Reads user/profile data of web browsers

UPX packed file

Unpacked files

SH256 hash:

a942efc8d0784ca5850f6ae6201b4c5b6532fc033557c05e0cb6cae1b1483048

MD5 hash:

ca94a5fdbf6c3561fc7d7327e27dfc1d

SHA1 hash:

69be8439823f44a7d8e4694e17dd7b17da3800bb

Link:

https://www.unpac.me/results/11bc4ca6-2ab7-4979-a79e-75573a75322a/

SH256 hash:

b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4

MD5 hash:

eabbce0d5148880b62cb999253c48bae

SHA1 hash:

46b0e1a5a165b2c020dd3e76ad22c7f354fc05c5

Link:

https://www.unpac.me/results/11bc4ca6-2ab7-4979-a79e-75573a75322a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe b1fa3db2305f07252e230c2c3a0ea5d359d255e80e49df26782e283f40e97ed4

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2222256/

Cape

https://www.capesandbox.com/analysis/276375/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

zbet commented on 2022-06-02 18:02:12 UTC

url : hxxp://file-hoster-cluster-1.com/1.exe