MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Epsilon


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a
SHA3-384 hash: 8b3e6960a8c4499a77224dc5637f9381ae3bcc952404b8cdeac44d4eb839578ff61728bdd2a304cfb135460c69b512bf
SHA1 hash: 1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2
MD5 hash: f3d78f15bf85aa14f71979585d310ae7
humanhash: twenty-kilo-sierra-nebraska
File name:bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a.bin
Download: download sample
Signature Epsilon
Create hunting rule
File size:11'264 bytes
First seen:2021-01-18 22:35:58 UTC
Last seen:2021-01-19 10:19:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 192:Lv8BhNWsMY6u4FPioYYYFKongPvEcLP9R2YoM8fddo5MZMU2nQ8nK88YJ:gBhIsQuWPioYYYFKog0cLPHEM8f3o5Mm
Threatray 2 similar samples on MalwareBazaar
TLSH 87320904E3DC8862C4BF5E3564B3031117B1F7499E13EB1F21AAE29B2BD330299D6721
Reporter Arkbird_SOLG
Tags:Epsilon Loader Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
266
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
x65454.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 19:38:55 UTC
Tags:
ransomware
Link:
https://app.any.run/tasks/1b3688b4-259b-40ee-a27e-25f39a76aa29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112704/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.17.22605.21869.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Changing a file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Encrypting user's files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.spre
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/584322
Signature
Binary contains a suspicious time stamp
Deletes shadow drive data (may be related to ransomware)
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Writes many files with high entropy
Yara detected Ransomware_Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341196 Sample: PC51Jij3Pq.bin Startdate: 18/01/2021 Architecture: WINDOWS Score: 92 42 cdn.discordapp.com 2->42 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Found ransom note / readme 2->52 54 4 other signatures 2->54 7 PC51Jij3Pq.exe 15 6 2->7         started        11 TaskHostHelper.exe 2 2->11         started        14 TaskHostHelper.exe 2 2->14         started        signatures3 process4 dnsIp5 44 cdn.discordapp.com 162.159.133.233, 443, 49707 CLOUDFLARENETUS United States 7->44 30 C:\Users\user\AppData\...\TaskHostHelper.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\PC51Jij3Pq.exe.log, ASCII 7->32 dropped 16 TaskHostHelper.exe 1 2 7->16         started        20 conhost.exe 7->20         started        34 C:\...\MobileScanCard_Light.pdf, DOS 11->34 dropped 36 C:\...\MobileScanCard_Dark.pdf, DOS 11->36 dropped 38 C:\...\MobileAcrobatCard_Light.pdf, DOS 11->38 dropped 40 181 other malicious files 11->40 dropped 56 Infects executable files (exe, dll, sys, html) 11->56 file6 signatures7 process8 file9 22 C:\Users\user\AppData\...\appssynonyms.txt, DOS 16->22 dropped 24 C:\Users\user\AppData\...\SettingsCache.txt, data 16->24 dropped 26 C:\Users\...\AppCache132555155544598480.txt, data 16->26 dropped 28 212 other malicious files 16->28 dropped 46 Writes many files with high entropy 16->46 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 22:36:06 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmnvw4vim6sadb3knllktpgb6sxz6tsp3nli556ofoaspfvurr5a._file
Verdict:
unknown
Similar samples:
7d017b752826bf83685828bebc8a00b050490f46aaa8c21b0dd1020f0c9b563e
Epsilon
b5e178f6b78d77fa92e271409eb3d0472c5608df13fbb7de1f8501f0ee87a8d0
Epsilon
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence ransomware spyware
Link:
https://tria.ge/reports/210118-8825mdkdsn/
Behaviour
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Deletes shadow copies
Unpacked files
SH256 hash:
bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a
MD5 hash:
f3d78f15bf85aa14f71979585d310ae7
SHA1 hash:
1e73b89abd5e0e0e74291d5ebb4f10574a9ef2e2
Link:
https://www.unpac.me/results/14002130-c554-46b7-8374-349d5799df0d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/bb1b5b72a867a401876a6ad6a9bcc1f4af9f4e4fdb568ef7ce2b812796b48c7a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/112704/

Comments