MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458
SHA3-384 hash: 24c2865f7536322ed5087a3ea90b51b5725b219322f8293a932afbfe48e2492c039e03c6a7864384d36aaaaa602f6d7f
SHA1 hash: 92d5d5529933c570e4413d8ae6546b0bf76dd128
MD5 hash: b0119d5f207b8760d397457b2f37a310
humanhash: berlin-robert-queen-violet
File name:b0119d5f207b8760d397457b2f37a310
Download: download sample
File size:10'461'928 bytes
First seen:2022-10-28 19:01:11 UTC
Last seen:2023-08-26 20:55:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3017ccb2c25f455f959277b4c3674df (2 x RedLineStealer, 2 x Vidar, 1 x Blackcocaine)
ssdeep 196608:KV/dL1Ow70JWCFNwxrGxLCZvAbY6wuhaJ4dXF:K3L10/FNwxaxLCZ8Y1waJ4hF
Threatray 2'486 similar samples on MalwareBazaar
TLSH T18BB633A74BB1EC5BCDB883B1BE00931285A1BCB2C4532A15F10F9795876817E7BB72C5
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 5400d454d5a50000 (1 x LaplasClipper)
Reporter zbetcheckin
Tags:exe signed

Code Signing Certificate

Organisation:www.exciting.com
Issuer:www.exciting.com
Algorithm:sha256WithRSAEncryption
Valid from:2022-10-28T01:18:34Z
Valid to:2023-10-28T01:38:34Z
Serial number: 4702a6d41c02b2aa4a4562ed47df4d11
Thumbprint Algorithm:SHA256
Thumbprint: 97a19709adbfbe0a2dc1e581f206aa71cdeb7bbd36b677baf42c98c4fbf02516
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b0119d5f207b8760d397457b2f37a310
Verdict:
No threats detected
Analysis date:
2022-10-28 19:03:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/06c7d9ce-806b-4169-9c1d-1a3635d674f0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/325617/
Detection(s):
SecuriteInfo.com.Win64.Malware-gen.20243.7143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/635c272c791bb7e48afdbff1/reports/462ad36a-61ef-4038-aa25-e4e860f8c934/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f5775526-a02c-4bd4-a28f-159b4baa5c6b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1100580
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-10-28 19:12:39 UTC
File Type:
PE+ (Exe)
Extracted files:
27
AV detection:
7 of 26 (26.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xi64witjbyarzl776he4b4zhyyncn6qwv2mheiv7nxzv2w6uirma._file
Verdict:
unknown
Similar samples:
0228149fc99d9323a5f2cfe773e1fac2652c043b1e591d4270472b08df7d85e8
15d06d1741cc8b5495da9c79c6f630e33060e80c73da9666500f6f0bdf5ff259
212033484641d51e968cecf3f8f2b7cf275f7c69e5c159093cecb73d07ddf1f3
354d75a7702604c1424e1e922958a93e5911ed356a5736f1a0f4de84eca02412
91bec27b79b2889bfe9eedc744b74b9438c638299f43c14a39f080fbb90f8eee
9ceef6a61f77d5e5c9d65e5eff7c2ede91cd236839c09830322faf841167a5e3
c1d2903436ac3cf276215add14bbdfceff7e2e9502e7e62d384c01024dea992f
d6c0c6811d1cc9e747774b3d6b8681336bddf2506885fcd59e0e6b8d124fb723
e4e2543f5f4cd37a6d436b1a4bb5ee2bcb1a6c8c64e5067d031efe428c4f9b24
+ 2'476 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/221028-xpr5zabde7/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Reads user/profile data of web browsers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/00268fcb-21ba-4a7e-b35a-46909374fde1
Unpacked files
SH256 hash:
ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458
MD5 hash:
b0119d5f207b8760d397457b2f37a310
SHA1 hash:
92d5d5529933c570e4413d8ae6546b0bf76dd128
Link:
https://www.unpac.me/results/f84f575d-a586-4ce9-937f-ee85d3ac6a28/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ba3dcb22690e011caffff1c9c0f327c61a26fa16ae987222bf6df35d5bd44458

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2389579/
Cape
Cape
https://www.capesandbox.com/analysis/325617/

Comments


Avatar
zbet commented on 2022-10-28 19:01:14 UTC

url : hxxp://45.83.122.33/bthudtask.exe