MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Emotet


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c
SHA3-384 hash: 80aa76bece4c0cafdfb772c442c782d32bb3b0ad55592bd0f6e1e258a6dd043244e908f8dea95df4fe801776560a7a6b
SHA1 hash: d16253151f6e59942e45b105efbc0f2e97984411
MD5 hash: 6b500ad29c39f72cd77c150a47df64ea
humanhash: uniform-india-thirteen-steak
File name:si1yaretouu.dll
Download: download sample
Signature Emotet
Create hunting rule
File size:775'917 bytes
First seen:2023-02-08 22:38:11 UTC
Last seen:2023-02-09 00:45:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e88d922e701221cb88fa0287a0d4ccbd (1 x Emotet)
ssdeep 12288:JTccQYkTOmw29akBlIwJrdNbynC8lfTgjy5c0AsL/UWkr2dFrJDKThRCB3zkU86y:JTccQvw29akHyZpgy207zNRdRJDKTHC6
Threatray 2'227 similar samples on MalwareBazaar
TLSH T15BF49F0311E26DB9CA4183346A8BE332B6317D980113FE5F66A5D5322FDA7E11F3EA54
TrID 56.8% (.EXE) InstallShield setup (43053/19/16)
17.2% (.SCR) Windows screen saver (13097/50/3)
13.8% (.EXE) Win64 Executable (generic) (10523/12/4)
3.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
2.6% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter Kostastsale
Tags:Cobalt Strike Emotet exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
388
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
cobaltstrike
Create hunting rule
ID:
1
File name:
si1yaretouu.dll
Verdict:
Malicious activity
Analysis date:
2023-02-08 22:41:22 UTC
Tags:
installer cobaltstrike
Link:
https://app.any.run/tasks/3ce83af4-18bc-42c0-9bd2-8ef94677612c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/362352/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.5152.8718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
cobalt greyware overlay packed spyeye
Link:
https://www.filescan.io/uploads/63e42488fc4dffab0ccf43ea/reports/e8b4b3b6-7611-4184-8721-e952234e20ec/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Emotet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9171214c-ad61-48d9-8c4e-42cfa82af635
Result
Threat name:
CobaltStrike
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1169352
Signature
C2 URLs / IPs found in malware configuration
Malicious sample detected (through community Yara rule)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Yara detected CobaltStrike
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 802133 Sample: si1yaretouu.dll.exe Startdate: 08/02/2023 Architecture: WINDOWS Score: 88 32 Malicious sample detected (through community Yara rule) 2->32 34 Yara detected CobaltStrike 2->34 36 C2 URLs / IPs found in malware configuration 2->36 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        13 rundll32.exe 7->13         started        15 cmd.exe 1 7->15         started        17 3 other processes 7->17 dnsIp5 30 thefirstupd.com 79.132.128.191, 443, 49713, 49714 COMNET-ASBG Germany 9->30 38 System process connects to network (likely due to code injection or exploit) 9->38 40 Queues an APC in another process (thread injection) 9->40 19 rundll32.exe 15->19         started        22 WerFault.exe 21 9 17->22         started        24 WerFault.exe 9 17->24         started        signatures6 process7 dnsIp8 26 thefirstupd.com 19->26 28 192.168.2.1 unknown unknown 22->28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2023-02-08 22:39:08 UTC
File Type:
PE+ (Dll)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wn26g7xgpdmpubloa3h6zs7ba56vc43furuydkarvw3dpos4qoga._file
Verdict:
malicious
Label(s):
cobaltstrike
Create hunting rule
emotet
Create hunting rule
Similar samples:
1507cff8fa706197a39fb7e6acd992e2f4301520fb2bfa8be5078616085e9f68
Emotet
1e5918db3c294afd4b39c84d52a7819c790d590e9b7c1056b5d49154c8a538c5
Emotet
5aa82085d0e21dfe6198f58076142c8e80e253b8575ab2723918bb4a9915cd79
Emotet
8142c4554a6b2bb430e9e653c4ef5c5d1cde0a63ad5aa6b6b85a7f1603874d30
Emotet
85f1561bd43a3d61bc010c97322e4440f9a9a5b7ca985a015a150c50771d43d6
Emotet
871630da02f1196f85572e268a602f8b3699072f2f79b1b5cb00f46406805128
Emotet
8c65626d226f87193c9ec0b58c763a3e97c4300b6c9dd7bc57874bd29b0ab4e7
Emotet
8e233464e6311267bde7c29a06a35075d7be68ec1492c21f3c2df338a0bcecee
Emotet
bae3fdaad02bdad5fbbb62d0e2358cb6dcd77eb97fe2e750e69b8c7608e5f09b
Emotet
dbb008087547da45c1c2865a4054ad96dbc938e332b521e47066dc31894fc359
Emotet
+ 2'217 additional samples on MalwareBazaar
Result
Malware family:
cobaltstrike
Create hunting rule
Score:
  10/10
Tags:
family:cobaltstrike botnet:206546002 backdoor trojan
Link:
https://tria.ge/reports/230208-2kyjeahh89/
Behaviour
Modifies system certificate store
Blocklisted process makes network request
Cobaltstrike
Malware Config
C2 Extraction:
http://thefirstupd.com:443/jquery-3.3.1.min.js
Unpacked files
SH256 hash:
b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c
MD5 hash:
6b500ad29c39f72cd77c150a47df64ea
SHA1 hash:
d16253151f6e59942e45b105efbc0f2e97984411
Link:
https://www.unpac.me/results/ee4dd8ca-3150-4f93-a9f7-03ec84414e86/
Malware family:
CobaltStrike
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b375e37ee678/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/b375e37ee678d8fa056e06cfeccbe1077d517365a46981a811adb637ba5c838c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/362352/

Comments