MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9
SHA3-384 hash: ea11c17d81641e02db3223a1f932b050e3eed2f205fe41cb8de921bbea36492c9742e5269a6d4e7d9174cceb59815939
SHA1 hash: 0a6fadbd97a795bf2e2de2d8f179b8f1f9e64c3a
MD5 hash: 18cb228ab33391b317543a8081801f01
humanhash: august-arizona-sink-florida
File name:0a6fadbd97a795bf2e2de2d8f179b8f1f9e64c3a
Download: download sample
File size:94'720 bytes
First seen:2022-03-15 23:35:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c5f2513605e48f2d8ea5440a870cb9e (60 x Babadeda, 6 x AveMariaRAT, 5 x CoinMiner)
ssdeep 1536:T7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfiwZnDOf:P7DhdC6kzWypvaQ0FxyNTBfiec
Threatray 142 similar samples on MalwareBazaar
TLSH T1D1937D41F3E202F7EAF1093100A6726FD73662389764E8DBC74C2D529913AD5A63D3E9
Reporter vxunderground
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0a6fadbd97a795bf2e2de2d8f179b8f1f9e64c3a
Verdict:
No threats detected
Analysis date:
2022-03-16 01:47:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/92af51ae-932d-4c9c-80d8-0932056a2122

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/251098/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.34587420.17402.2208.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a file
Creating a process from a recently created file
Creating a window
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/9369/overview
Behaviour
MalwareBazaar
CPUID_Instruction
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/623122e40cd58dbd92a23a88/reports/74039b76-b7a7-421c-826c-dc59280da93b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c73216f8-f41d-4596-a410-75f3ef9e048c
Result
Threat name:
Babadeda
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/957571
Signature
Adds a directory exclusion to Windows Defender
Command shell drops VBS files
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WannaCry Ransomware
Sigma detected: WScript or CScript Dropper
Tries to download files via bitsadmin
Uses bcdedit to modify the Windows boot settings
Yara detected Babadeda
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 590051 Sample: bltUimKyby Startdate: 16/03/2022 Architecture: WINDOWS Score: 84 28 Multi AV Scanner detection for domain / URL 2->28 30 Sigma detected: WannaCry Ransomware 2->30 32 Sigma detected: Powershell adding suspicious path to exclusion list 2->32 34 6 other signatures 2->34 7 bltUimKyby.exe 8 2->7         started        process3 file4 24 C:\Users\user\AppData\Local\Temp\...\32DE.bat, ASCII 7->24 dropped 10 cmd.exe 2 7->10         started        14 conhost.exe 7->14         started        process5 file6 26 C:\Users\user\AppData\Local\Temp\tmp.vbs, ASCII 10->26 dropped 36 Tries to download files via bitsadmin 10->36 38 Command shell drops VBS files 10->38 40 Uses bcdedit to modify the Windows boot settings 10->40 42 Adds a directory exclusion to Windows Defender 10->42 16 powershell.exe 22 10->16         started        18 wscript.exe 10->18         started        20 NSudo.exe 10->20         started        22 16 other processes 10->22 signatures7 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9/
Threat name:
Win32.Ransomware.LockBit
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 03:02:31 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3b6cbb6fde5051e6ec3ad23789968670c68f3ef82d8febe258e223c1487f42c4
4da864854d368ab640245f8174d247e0b9947045712d2d7449e25e7074b8587c
6fc704900ddda4e22fd10ae2bf066c403a2567ce830d1b8fe7721231414382b7
83ae57bdc0f817111ab909f54ec0f33b84f6504596d2a55adf39a16c5cf1afc0
972d533e4df0786799c0e7c914aa6c04870753c10757c5d58cd874b92a7f4739
993afa5ca786935ff44f01d5495e0583034008d30d93eaac100e6d4325dfb89d
cdd4ab01797a178b70303381028cb419a8550a15fa75bdb40f6d56bc289b7dcf
e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
f3622af9e9478d97008e6a7d3f97449148f2cc6fc03420d47020f7b33dbd47cb
+ 132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/220315-3lj8vaehfq/
Behaviour
Download via BitsAdmin
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Legitimate hosting services abused for malware hosting/C2
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
UAC bypass
Unpacked files
SH256 hash:
b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9
MD5 hash:
18cb228ab33391b317543a8081801f01
SHA1 hash:
0a6fadbd97a795bf2e2de2d8f179b8f1f9e64c3a
Link:
https://www.unpac.me/results/f3ccf39c-f735-4233-9776-455969f8484e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/b3c03dc87f75/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3c03dc87f759a1b0336cb34993bed8d35f9b4e5b28295ff57ebb968875d14e9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/251098/

Comments