MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b896351c5f5d6bee633563734a8e2fa11a01f879faa818165a12607312fc36a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b896351c5f5d6bee633563734a8e2fa11a01f879faa818165a12607312fc36a4
SHA3-384 hash: 8e450e82bf61fa25967886063278338261758de9f3c0d23d21d5330eded5eaf54a1a5c5eb2066dafcb8f986da5f54ca4
SHA1 hash: 2408349433b6d3a16133630cf8fe75dac67bddb7
MD5 hash: 46954ca98b8f9f70d0dec43624d301df
humanhash: magnesium-aspen-single-coffee
File name:客户端.exe
Download: download sample
File size:8'906'767 bytes
First seen:2021-10-31 03:06:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2cdcfb3a828433ba76b5b41f45519bd9 (2 x ROKRAT, 1 x IcedID)
ssdeep 196608:oMTlAG6ZnP4Vh6CsXDjDyf6L2WliXYrHW1Da8jh/yIA:TlCRP4VICEDVL2ciIrHWHjh/P
Threatray 69 similar samples on MalwareBazaar
TLSH T19996331A620929E9F573213ACC01C43AC871F4735782C59F0AD8ACA79F5B6A5BC37F94
File icon (PE):PE icon
dhash icon aebc385c4ce0e8f8 (10 x PythonStealer, 7 x RedLineStealer, 7 x DCRat)
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
客户端.exe
Verdict:
No threats detected
Analysis date:
2021-10-31 03:11:30 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8f1b8b97-17d9-47d2-9f63-49fcb9ec2d0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.PyInstaller.18233.4332.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Deleting a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
GetYourFilesBack Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f7e2a45-44ff-4bc9-9e49-a4cf6d0ad0c4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/879899
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b896351c5f5d6bee633563734a8e2fa11a01f879faa818165a12607312fc36a4/
Verdict:
unknown
Similar samples:
089b3975338c69d1c8ae96cec13328459e8208c7cf9c88ce98896b90697c140b
4eda894346c802158cadd4483697103468467fffea120f578f8456981bc42fbc
622fb838298b78969dfbe0d1ff0c2fcea071b77e9a30332805a532683a039570
6239fb903c570cff86d4a21391c9a012dd27016243cc5ba67b3c93828a8badd4
81ac71909750b1ba2225c173ea99f56d6e237aeb70b45212ac757e265c25ea6f
a11e597e813bde2241d999f3c2aa8fdecc7f1131507e4aa5fba6ba82dbd75459
e8f57a83f154fb0c67f6064d3dc6914ad4278e5f79d054ec66c3b8383aeb5b5e
eb79eca8cfe119f44e673c28f731ea3e31c196b872c4755e643d6ed67d157ec0
ed3588a0ea55834f7964684d9b97f05a70aea91fbc9eb4f1c5d0a1248acc7fbf
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
pyinstaller
Link:
https://tria.ge/reports/211031-dma9wsccdj/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Unpacked files
SH256 hash:
b896351c5f5d6bee633563734a8e2fa11a01f879faa818165a12607312fc36a4
MD5 hash:
46954ca98b8f9f70d0dec43624d301df
SHA1 hash:
2408349433b6d3a16133630cf8fe75dac67bddb7
Link:
https://www.unpac.me/results/c8b73550-442e-4dd8-94f7-43e2a10aae3b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b896351c5f5d6bee633563734a8e2fa11a01f879faa818165a12607312fc36a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments