MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69
SHA3-384 hash: 5f8ad6b8bf87887b0d399232ec569f0af668474286669140ca4edf5f9bec520c378da83505209587565647a3744191a7
SHA1 hash: 95072f5aa33b6061e2f0df748c25ce92fe00397e
MD5 hash: 880502ed2101ad8bcba6d2e2e2cd7124
humanhash: oxygen-echo-purple-carbon
File name:880502ed2101ad8bcba6d2e2e2cd7124.exe
Download: download sample
File size:11'927'040 bytes
First seen:2023-02-28 08:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:vqMOOyqaCsXDjDyfVW3q+09iq2pPeZH2WliXYrHW1mnFwoxCO/AhNOnKES:VOOybCEDmlh2pMH2ciIrHW0nKyACP
Threatray 178 similar samples on MalwareBazaar
TLSH T19DC63304B25505F9FC32213D4C61D5259DBEF13A4B02C89F8A8816A74F633E6E93BFA5
TrID 48.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.5% (.EXE) InstallShield setup (43053/19/16)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
880502ed2101ad8bcba6d2e2e2cd7124.exe
Verdict:
Malicious activity
Analysis date:
2023-02-28 08:23:10 UTC
Tags:
installer
Link:
https://app.any.run/tasks/79663dea-2987-4239-ac81-f96bbdde129f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/370556/
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63fdb8fbbbedb8176ff1a81a/reports/39990c11-000e-4d20-b27a-d71051f52f2b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4511802c-2cbb-4609-9cd5-68e15d731463
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1184073
Signature
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 816914 Sample: lCOMVCKl7v.exe Startdate: 28/02/2023 Architecture: WINDOWS Score: 84 62 Multi AV Scanner detection for submitted file 2->62 64 Binary is likely a compiled AutoIt script file 2->64 66 Machine Learning detection for sample 2->66 10 lCOMVCKl7v.exe 4 2->10         started        process3 file4 46 C:\Users\user\...\vWpqzhjcFCAJEmKe.exe, PE32+ 10->46 dropped 48 C:\Users\user\AppData\...\lCOMVCKl7v.exe.log, CSV 10->48 dropped 50 C:\Users\user\AppData\Local\...\registers.exe, PE32 10->50 dropped 13 vWpqzhjcFCAJEmKe.exe 75 10->13         started        17 conhost.exe 10->17         started        process5 file6 52 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 13->52 dropped 54 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 13->54 dropped 56 C:\Users\user\AppData\...\win32security.pyd, PE32+ 13->56 dropped 58 69 other files (none is malicious) 13->58 dropped 68 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->68 70 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 13->70 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->72 74 4 other signatures 13->74 19 vWpqzhjcFCAJEmKe.exe 6 13->19         started        signatures7 process8 dnsIp9 60 192.168.2.1 unknown unknown 19->60 22 cmd.exe 19->22         started        24 cmd.exe 1 19->24         started        26 cmd.exe 1 19->26         started        28 156 other processes 19->28 process10 process11 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 28->38         started        40 conhost.exe 28->40         started        42 151 other processes 28->42 process12 44 conhost.exe 30->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-27 22:23:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
1399
AV detection:
7 of 25 (28.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wx4qaevyo7h7jjfpa6uzl3pydqmsgu3jgzoe7eiyeawjbhivpjuq._file
Verdict:
unknown
Similar samples:
09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed
386c57582b7d542de1d6164de34cfea4706fc6418a14c69eb246feca2711003e
6d7eeaa37fd773e4f6f7100e831fa40ffae132f64f0dd059efc85aa52d0be7c3
867db0a04a8d54490d8cbf67b8de79c258f0f0a87bf865fbf78e529b85e6a0e9
90e3b268cf6a1ee1649bded36d75ed45fc1c2b35a53000aa9db9550784251504
9598b077e43d52e3a506e23a96eaca924aa406f5374afa5139283646c448dfc3
afca37e4b44aced677169e1e1b898cb49a2d689f8322e6e824f97ca9a5d49443
ccc9894ae7557a69148494ded97c5e496b6729022eaa1c62e1bd1ad71cf07d84
e66137ab3b86abeb0dec368bbca035163b110bfcc452ee706149a6e0a948578a
+ 168 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/230228-j7vf6aad26/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
348f47aa5448e5135adc5a4232f3f1b69eb93d83227dd9ab0e060476c7c544bc
MD5 hash:
c23f914f54bdfdbb4189ddabdebec70d
SHA1 hash:
8c6a72c231ba921f121c6d13e15f023697ddf045
Link:
https://www.unpac.me/results/d4aac673-f1e9-4775-8706-687373472ccb/
SH256 hash:
b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69
MD5 hash:
880502ed2101ad8bcba6d2e2e2cd7124
SHA1 hash:
95072f5aa33b6061e2f0df748c25ce92fe00397e
Link:
https://www.unpac.me/results/d4aac673-f1e9-4775-8706-687373472ccb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b5f90012b877cff4a4af07a995edf81c19235369365c4f9118202c909d157a69

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2553336/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/370556/

Comments