MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8
SHA3-384 hash: b3c8670f17a314a6c59751e8f516ccefdf2ef1077997666bab98ecd839bca6e509cc335984904d4f7e05bc5c4504df76
SHA1 hash: 3256eca2d1638d421bc53cbfcca50effc18b5cec
MD5 hash: 809fd08e5f79d466a9246b7a793f691d
humanhash: lake-grey-nineteen-illinois
File name:809fd08e5f79d466a9246b7a793f691d.exe
Download: download sample
File size:14'548'480 bytes
First seen:2023-03-26 16:32:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 57c9b357ae0cb2f414b0a5873e2f216d
ssdeep 98304:JvmmcknTucGhl/v9bDFVgICy0Ex/4Rm0cZOssY:J5vTpGhJv1FtCEiRm
Threatray 162 similar samples on MalwareBazaar
TLSH T1B4E64B07F89191E5C5BED130C6769262BA303C495F3023E73B21F6B92B72BD46A79394
gimphash 7da5882bed8a23290fae2b31f1351622f96170ad87bd638f0ee0e91cd5edbea8
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
raccoon
Create hunting rule
ID:
1
File name:
09e5c6db3ddafacd61fd8231a55b08ad.exe
Verdict:
Malicious activity
Analysis date:
2023-03-26 16:37:07 UTC
Tags:
raccoon recordbreaker trojan loader
Link:
https://app.any.run/tasks/d38ef36f-b894-48ac-97a0-04d9a9ed37a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Reading critical registry keys
Running batch commands
Launching a process
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware virus
Link:
https://www.filescan.io/uploads/642073c01770808abe9b65c0/reports/6a95b554-ad9f-43d2-aa0a-30a20e9e906d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8
Result
Verdict:
MALICIOUS
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/68f61810-25e2-49f9-afc9-4bd4945f7e4c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1202181
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 835087 Sample: bDe87CI4VC.exe Startdate: 26/03/2023 Architecture: WINDOWS Score: 60 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 9 bDe87CI4VC.exe 2->9         started        process3 signatures4 26 Tries to harvest and steal browser information (history, passwords, etc) 9->26 12 cmd.exe 1 9->12         started        process5 process6 14 conhost.exe 12->14         started        16 choice.exe 1 12->16         started        process7 18 MpCmdRun.exe 1 14->18         started        process8 20 conhost.exe 18->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8/
Threat name:
Win64.Trojan.Goback
Create hunting rule
Status:
Malicious
First seen:
2023-03-26 01:59:55 UTC
File Type:
PE+ (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wuzfol23mql2eqrqtrfbx5po6pvmmbyge3pz3vnshse5qfms4lma._file
Verdict:
unknown
Similar samples:
22e2b816a20424bb37abf9cfc22605709173aa4208b9e383fe10266469b2f916
39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
67dd0268cb9b122574629662f97f6d56ffca8e7d478f38be141ac02131708730
6888c253f7fe673389ea592d69e1844c81eb01f313514df88f9dbdebad514aa8
89e18340e51790ee07e1c6845a93f737ef6be8470e5a1158aef24539658eb235
b9736626a522b3d6301ede70895f1ffbb592d88b2f9e7a9908797e0a0249b00c
de806157402fbf33b8ef3e4f2959d06fae95d56ec043acc95932fc70522f41ab
f9c21532868a2cd3cbeaa22f92c237cb73bff27d73fc49716d81c89eedb72be9
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230326-t2hwaabb41/
Behaviour
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8
MD5 hash:
809fd08e5f79d466a9246b7a793f691d
SHA1 hash:
3256eca2d1638d421bc53cbfcca50effc18b5cec
Link:
https://www.unpac.me/results/0b2cf25e-de3c-4780-adbe-570a71cf4720/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b532572f5b6417a242309c4a1bf5eef3eac6070626df9dd5b23c89d81592e2d8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2512909/
  
Delivery method
Distributed via web download

Comments