MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


IcedID


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5
SHA3-384 hash: 5c0b36cf5ad34d0e4c2117f781a1f6c382b0754461e48ba68e6b5ac70d306a629e30079b753549ea1d880ffb42ecc4c5
SHA1 hash: cd46ddde5fa93f7546aaa4fd419ff183d79aa1d1
MD5 hash: 82b44946e89cc6ee027bebc354330843
humanhash: double-item-low-november
File name:82B44946E89CC6EE027BEBC354330843.exe
Download: download sample
Signature IcedID
Create hunting rule
File size:294'386 bytes
First seen:2021-04-06 00:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7fa974366048f9c551ef45714595665e (946 x Formbook, 398 x Loki, 261 x AgentTesla)
ssdeep 6144:oe34Y7vNWnAZ9zZ4nHNPxCAgArk59KHan/43u9TDvwdoRr0VzNP:bLNWnC94HV0AAfer3sTDI2RGNP
Threatray 3 similar samples on MalwareBazaar
TLSH 7F541245B2E099BFE49504301DBBA379E7B3CBE5A7A413A70F946E1D3D792824A340C7
Reporter abuse_ch
Tags:exe


Avatar
abuse_ch
Adware.FileTour C2:
zeleydoby9.fun

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
zeleydoby9.fun https://threatfox.abuse.ch/ioc/6891/

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132518/
Detection(s):
SecuriteInfo.com.PUA.DomaIQ.24569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Sending a UDP request
Sending an HTTP GET request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/666866
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Performs DNS queries to domains with low reputation
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382363 Sample: pLdK3viWG9.exe Startdate: 06/04/2021 Architecture: WINDOWS Score: 56 90 wsgeoip.lavasoft.com 2->90 92 webcompanion.com 2->92 94 7 other IPs or domains 2->94 120 Multi AV Scanner detection for domain / URL 2->120 122 Antivirus detection for URL or domain 2->122 124 Antivirus / Scanner detection for submitted sample 2->124 126 4 other signatures 2->126 11 pLdK3viWG9.exe 21 2->11         started        16 mask_svc.exe 2->16         started        18 svchost.exe 2->18         started        20 10 other processes 2->20 signatures3 process4 dnsIp5 108 retrieve.clubcheese.xyz 104.21.25.127, 49707, 80 CLOUDFLARENETUS United States 11->108 110 bon.ironzebra.site.w.kunlunsl.com 47.246.50.226, 49705, 80 TAOBAOZhejiangTaobaoNetworkCoLtdCN United States 11->110 112 bon.ironzebra.site 11->112 86 C:\Users\user\AppData\Local\...86SISdl.dll, PE32 11->86 dropped 88 C:\Users\user\AppData\Local\Temp\...\1.exe, PE32 11->88 dropped 138 Performs DNS queries to domains with low reputation 11->138 22 1.exe 41 11->22         started        114 98.126.1.130 VPLSNETUS United States 16->114 116 vpn.maskvpn.org 98.126.176.53 VPLSNETUS United States 16->116 140 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->140 142 Hides threads from debuggers 16->142 144 Changes security center settings (notifications, updates, antivirus, firewall) 18->144 26 MpCmdRun.exe 18->26         started        118 127.0.0.1 unknown unknown 20->118 28 drvinst.exe 20->28         started        30 drvinst.exe 20->30         started        file6 signatures7 process8 dnsIp9 102 www.ickyud.pw 109.232.226.206 GLOBALLAYERNL Netherlands 22->102 104 webcompanion.com 104.17.177.102 CLOUDFLARENETUS United States 22->104 106 2 other IPs or domains 22->106 74 C:\Users\user\AppData\Local\...\setup_2.exe, PE32 22->74 dropped 76 C:\Users\user\AppData\Local\...\setup_0.exe, PE32 22->76 dropped 78 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 22->78 dropped 84 4 other files (none is malicious) 22->84 dropped 32 setup_0.exe 2 22->32         started        80 C:\Windows\System32\...\SET227C.tmp, PE32+ 28->80 dropped 82 C:\Windows\System32\drivers\SET34E9.tmp, PE32+ 30->82 dropped file10 process11 file12 62 C:\Users\user\AppData\Local\...\setup_0.tmp, PE32 32->62 dropped 35 setup_0.tmp 31 74 32->35         started        process13 dnsIp14 96 user.maskvpn.org 98.126.176.51 VPLSNETUS United States 35->96 98 s2s-postback.com 139.28.38.230 FREEHOSTUA Ukraine 35->98 100 mybrowserinfo.com 104.21.25.180 CLOUDFLARENETUS United States 35->100 64 C:\Users\user\AppData\...\libMaskVPN.dll, PE32 35->64 dropped 66 C:\Users\user\AppData\Local\...\botva2.dll, PE32 35->66 dropped 68 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 35->68 dropped 70 23 other files (none is malicious) 35->70 dropped 128 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 35->128 130 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->130 132 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 35->132 40 mask_svc.exe 35->40         started        43 mask_svc.exe 35->43         started        45 cmd.exe 35->45         started        47 cmd.exe 1 35->47         started        file15 signatures16 process17 signatures18 134 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 40->134 136 Hides threads from debuggers 40->136 49 conhost.exe 40->49         started        51 conhost.exe 43->51         started        53 tapinstall.exe 45->53         started        56 conhost.exe 45->56         started        58 conhost.exe 47->58         started        60 tapinstall.exe 1 47->60         started        process19 file20 72 C:\Users\user\AppData\Local\...\SET1D3C.tmp, PE32+ 53->72 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5/
Threat name:
Win32.PUA.Wacapew
Create hunting rule
Status:
Malicious
First seen:
2021-04-04 05:11:43 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wvwjccp5xhunrbj7uu3phtpksuukrjjuspj7hxe7jesd4mhnnpsq._file
Verdict:
malicious
Similar samples:
49f515b1faaa4273a6c3f3faf8289d685d14a5cbbe84497e9a1f29e77c6cce74
IcedID
703d46e527cbce0c838146a5bb4d93593fb2942ae8dda6cd4d017c5de510549e
IcedID
f0380fcead378582fadeeddf805919af44febcd9386eb60b609477e8cfe04dc8
IcedID
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210406-8f2jqddg4x/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
MD5 hash:
a5f8399a743ab7f9c88c645c35b1ebb5
SHA1 hash:
168f3c158913b0367bf79fa413357fbe97018191
Link:
https://www.unpac.me/results/bd495f49-665b-4a0a-9543-a340888fe2d7/
SH256 hash:
b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5
MD5 hash:
82b44946e89cc6ee027bebc354330843
SHA1 hash:
cd46ddde5fa93f7546aaa4fd419ff183d79aa1d1
Link:
https://www.unpac.me/results/bd495f49-665b-4a0a-9543-a340888fe2d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b56c9109fdb9e8d8853fa536f3cdea9528a8a53493d3f3dc9f49243e30ed6be5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132518/

Comments