MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31
SHA3-384 hash:	ec750f9dff3627d6a312f77fc4cb3bf2cd8073c56e6d81cae40bca6106ed763171e0f54ddb7042f32a2f8dfb0d9dee80
SHA1 hash:	0a68887d9ddf533d6079dc4491227718d3ced32b
MD5 hash:	294f36ce2f5bdb9762fbe02eff83dbc6
humanhash:	edward-river-oxygen-solar
File name:	bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31
Download:	download sample
File size:	102'400 bytes
First seen:	2022-11-05 20:33:38 UTC
Last seen:	2022-11-05 22:40:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9bbf057800f1961071b8027a405aa4a4 (1 x Worm.Virut)
ssdeep	1536:osceAhbZQAYDd3mwDjSl1q/P8JuUtC5Fe0d0MYMHQxmEg0tavmlsihh6e:oTb0DNmwTP8JuUgZVHQkEBtavmlMe
Threatray	1 similar samples on MalwareBazaar
TLSH	T1D1A36D3F32EA8632E88788705186BF33D97AAD34192F5647F7805D673C608D96627E07
TrID	38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.0% (.EXE) Win64 Executable (generic) (10523/12/4) 8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
dhash icon	f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter	DesdinovaOsint
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

145

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31

Verdict:

No threats detected

Analysis date:

2022-11-05 20:36:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4a1e7586-8b50-4ad9-bff7-7cd858313e34

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/329217/

Detection(s):

Win.Dropper.Gh0stRAT-9964493-1

Win.Trojan.Agent-1213450

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows directory

Creating a service

Launching a service

Creating a process from a recently created file

Searching for synchronization primitives

Сreating synchronization primitives

DNS request

Running batch commands

Creating a process with a hidden window

Enabling autorun for a service

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/49043/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

backdoor greyware nitol

Link:

https://www.filescan.io/uploads/6366c8be15611f8d8bf9102b/reports/3c3b4973-1f1d-4a43-b357-a09ea80fafc6/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Dinwod

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/cd5f0004-1a85-4e9a-ad31-8e94b90a8c90

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1106295

Signature

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Deletes itself after installation

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31/

Threat name:

Win32.Trojan.ServStart

Status:

Malicious

First seen:

2017-05-03 04:37:18 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

47 of 47 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xnjd5wc6zz5n6iqhibxmigjbjzouq6pf5swru6bz5daio57f7myq._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221105-zcep8abhhr/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Deletes itself

Unexpected DNS network traffic destination

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3e2294a8-600f-46ea-a042-03eadf37138c

Unpacked files

SH256 hash:

bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31

MD5 hash:

294f36ce2f5bdb9762fbe02eff83dbc6

SHA1 hash:

0a68887d9ddf533d6079dc4491227718d3ced32b

Detections:

win_yoddos_auto

Link:

https://www.unpac.me/results/c9a5efc2-0da2-493f-b2af-4a233ac1ec1a/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.50

Link:

https://yomi.yoroi.company/submissions/bb523ed85ece7adf2207406ec419214e5d4879e5ecad1a7839e8c08777e5fb31

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Backdoor_Nitol_Jun17 Create hunting rule
Author:	Florian Roth
Description:	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:	https://goo.gl/OOB3mH

Rule name:	Backdoor_Nitol_Jun17_RID2E8F Create hunting rule
Author:	Florian Roth
Description:	Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader
Reference:	https://goo.gl/OOB3mH

Rule name:	win_yoddos_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.yoddos.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/329217/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample