MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab
SHA3-384 hash: e0099c97e23170acc06acc6e9804e556df90a66fdd82fb4d2f5c353015ddfc65aa3cd15923ec80f3a6792237a03a051d
SHA1 hash: 449ae90ea454a76a546c0650e87697b757bfc0b8
MD5 hash: 69a3d152861a94a8c8cf69faf4e1dfd7
humanhash: virginia-diet-london-oven
File name:69a3d152861a94a8c8cf69faf4e1dfd7
Download: download sample
File size:5'701'171 bytes
First seen:2021-12-02 20:31:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 98304:fZGjgLsNypdM5vw9d6ZSvThTOIfDiOj4siBZHMmq/pbOnpaRjPcuagrGqV3Un:fMjuhi5vQ6OhpssiBZHfpaPaKGqV3q
Threatray 7'935 similar samples on MalwareBazaar
TLSH T1EC463376A38F8A76D22605F45B65DAB2C47970022638B333F3D1BD4C6B60CC79A0675B
File icon (PE):PE icon
dhash icon 8862e0d8f2fc7c19 (2 x DanaBot, 1 x Loki, 1 x RemcosRAT)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
69a3d152861a94a8c8cf69faf4e1dfd7
Verdict:
No threats detected
Analysis date:
2021-12-02 20:35:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a88fc52-2c88-420c-8b3f-0722ac650247

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent14
Create hunting rule
Link:
https://www.capesandbox.com/analysis/210869/
Detection(s):
Win.Packed.Filerepmalware-9864117-0
Create hunting rule

Win.Packed.Stop-9872858-0
Create hunting rule

Win.Packed.Doina-9886276-0
Create hunting rule

Win.Packed.Pwsx-9901330-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a file in the Program Files subdirectories
Creating a process from a recently created file
Searching for analyzing tools
Searching for the window
DNS request
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/586/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed virus wacatac
Link:
https://www.filescan.io/uploads/61a92d46f9d950eb11b6f60f/reports/077398c1-3da9-4237-b9f6-b864dad377ff/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e51c57ca-453b-4987-94a7-79f953703a42
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/900480
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532958 Sample: xJNLT1qWO6 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 39 Antivirus detection for dropped file 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->43 45 5 other signatures 2->45 7 xJNLT1qWO6.exe 25 2->7         started        process3 file4 23 C:\Users\user\AppData\Local\...\toulon.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\Local\...\abseilvp.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\Local\Temp\...\UAC.dll, PE32 7->27 dropped 29 3 other files (none is malicious) 7->29 dropped 10 abseilvp.exe 3 18 7->10         started        15 toulon.exe 7 7->15         started        process5 dnsIp6 37 ip-api.com 208.95.112.1, 49752, 80 TUT-ASUS United States 10->37 31 C:\Users\user\AppData\...\egbymscdgj.vbs, ASCII 10->31 dropped 57 Antivirus detection for dropped file 10->57 59 Query firmware table information (likely to detect VMs) 10->59 61 May check the online IP address of the machine 10->61 17 wscript.exe 12 10->17         started        33 C:\Users\user\AppData\...\DpEditor.exe, PE32 15->33 dropped 63 Machine Learning detection for dropped file 15->63 65 Hides threads from debuggers 15->65 67 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->67 21 DpEditor.exe 15->21         started        file7 signatures8 process9 dnsIp10 35 iplogger.org 5.9.162.45, 443, 49754 HETZNER-ASDE Germany 17->35 47 System process connects to network (likely due to code injection or exploit) 17->47 49 May check the online IP address of the machine 17->49 51 Query firmware table information (likely to detect VMs) 21->51 53 Hides threads from debuggers 21->53 55 Tries to detect sandboxes / dynamic malware analysis system (registry check) 21->55 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab/
Threat name:
Win32.Infostealer.ClipBanker
Create hunting rule
Status:
Malicious
First seen:
2021-12-02 19:57:32 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0822897c3336073faf73fa391193ea15f55de51aa36d63433a9e794127c34576
42173b9b5ae6bcec8b65312e270633a3df6fa4355c9ac4973486291f0fcd8052
80bed6ab0b5b8714354e174beb3be2c10a749dd8133c2e74f3ebdb4936e6f411
81f9e755ba26058922c5fdb70ead4d6d36c65e95d3bc59a44112c0dd1f928b0e
879305570a2b3dbe710ddd09445db20a1159696a6c72a503135db8eaef5eecb7
aa88fc6977bf02c959ffa6865b99eeee8c1735001f824d1bbcc4ff01d93fbb74
ad57b2094e9d2cbc75ba695c4400d23a8c24046e08eac6906d6f973a4ffaefb9
c386cf7d338f42a76cdc369c9d6d43f2ab6dca0853f80f0cee4770731ea18264
e366497c19208fe45bd04dd3d83f4ec71108b2cefeb4fdaeb60e139743c8bb40
f4f37faf7b52b7544ee58a029dcc54a71941aedcdd2b4eacda2f39c3217aad48
+ 7'925 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211202-za94caegh5/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
81c9c9ed9f47abe3525f8392f2a6ac9885c6f0539511568a3148851adf16f448
MD5 hash:
65a031f3b47c5c14274d82ca4832f5ca
SHA1 hash:
c94230db8fc5e2d57e997756a47dd2c2c9eeb502
Link:
https://www.unpac.me/results/0fe05d9b-6810-41a5-9d06-d0bd0d2acd34/
SH256 hash:
bf619397c1fb4b5277f3d7c1a5e519d540271c487b6953005d4ac928c97a972a
MD5 hash:
23eac0cd3504dd552ed8b33d8bccbeb3
SHA1 hash:
e1af7b10ccb12b0f37538f7663d551729ec2f10c
Link:
https://www.unpac.me/results/0fe05d9b-6810-41a5-9d06-d0bd0d2acd34/
SH256 hash:
b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab
MD5 hash:
69a3d152861a94a8c8cf69faf4e1dfd7
SHA1 hash:
449ae90ea454a76a546c0650e87697b757bfc0b8
Link:
https://www.unpac.me/results/0fe05d9b-6810-41a5-9d06-d0bd0d2acd34/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe b871a7103ea085957ad02ae4983b13e7c1990eb0c2fbc360395e3dfb72e736ab

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1845082/
Cape
Cape
https://www.capesandbox.com/analysis/210869/

Comments


Avatar
zbet commented on 2021-12-02 20:31:29 UTC

url : hxxp://danzlu15.top/download.php?file=nereus.exe