MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 8


Intelligence 8 IOCs 2 YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20
SHA3-384 hash: 233fcb9fea4a0474a6ef82423ca9b796deaadc8b593006782121f485a584f62f835cbd05ac8f91ef2a3b4922f3cd8ead
SHA1 hash: e66843707cb7302f4b409634af76fa2571b422cc
MD5 hash: e804bf3e7b1395a2a3d348d5e4b0d1f4
humanhash: michigan-moon-pasta-fix
File name:e804bf3e7b1395a2a3d348d5e4b0d1f4.exe
Download: download sample
Signature Hive
Create hunting rule
File size:2'226'688 bytes
First seen:2022-02-16 12:51:03 UTC
Last seen:2022-02-16 15:16:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aebf3da4677af9275c461261e5abde3 (25 x YTStealer, 12 x CobaltStrike, 11 x Hive)
ssdeep 49152:7QFqW5xahoP3Mq0F4FOguyHjjPweC7hpM0nsyf3B6UBymyPcE4Rz:79WHahqMq55njjIeC740syf3n6kE0
TLSH T15CA533C620372EC9D344C03A780BC5B796766B17BB9E5C0B198CC958733796F52C7A8A
Reporter abuse_ch
Tags:exe Hive


Avatar
abuse_ch
Hive C2:
185.92.73.154:14746

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.92.73.154:14746 https://threatfox.abuse.ch/ioc/388139/
95.216.85.83:28608 https://threatfox.abuse.ch/ioc/388140/

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/241905/
Detection(s):
SecuriteInfo.com.W64.Agent.EBR.genEldorado.5494.11099.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Launching the process to change the firewall settings
Сreating synchronization primitives
Moving a system file
Creating a file
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for analyzed file
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Sending an HTTP POST request to an infection source
Replacing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug packed
Link:
https://www.filescan.io/uploads/620cf378a2660f3bb9e5ce09/reports/52b4b5b8-e811-4166-8ef4-44e7ab91e6fb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f53c5470-6af5-4e60-8b13-42db3e069b66
Result
Threat name:
Raccoon
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/940801
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Connects to many ports of the same IP (likely port scanning)
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Process Patterns
Sigma detected: Copying Sensitive Files with Credential Data
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Remote Thread Created
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Whoami Execution Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses whoami command line tool to query computer and username
Yara detected Raccoon Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 573279 Sample: OqP6erBXbh.exe Startdate: 16/02/2022 Architecture: WINDOWS Score: 100 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 Antivirus detection for URL or domain 2->91 93 12 other signatures 2->93 8 OqP6erBXbh.exe 7 2 2->8         started        13 conhost.exe 2->13         started        15 conhost.exe 2->15         started        process3 dnsIp4 75 185.112.83.96, 20001, 49755, 49756 SUPERSERVERSDATACENTERRU Russian Federation 8->75 71 C:\Windows\1645048449.exe, PE32 8->71 dropped 73 C:\Windows\System32\drivers\etc\hosts, ASCII 8->73 dropped 97 Creates multiple autostart registry keys 8->97 99 Creates an autostart registry key pointing to binary in C:\Windows 8->99 101 Modifies the hosts file 8->101 103 Modifies the windows firewall 8->103 17 cmd.exe 1 8->17         started        20 cmd.exe 1 8->20         started        22 cmd.exe 1 8->22         started        30 11 other processes 8->30 105 Tries to harvest and steal browser information (history, passwords, etc) 13->105 107 Adds a directory exclusion to Windows Defender 13->107 109 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->109 24 cmd.exe 13->24         started        32 18 other processes 13->32 26 cmd.exe 15->26         started        28 cmd.exe 15->28         started        34 11 other processes 15->34 file5 signatures6 process7 signatures8 77 Uses cmd line tools excessively to alter registry or file data 17->77 79 Uses netsh to modify the Windows network and firewall settings 17->79 81 Uses ipconfig to lookup or modify the Windows network settings 17->81 36 conhost.exe 17->36         started        83 Uses whoami command line tool to query computer and username 20->83 38 2 other processes 20->38 85 Adds a directory exclusion to Windows Defender 22->85 41 4 other processes 22->41 43 2 other processes 24->43 45 2 other processes 26->45 47 2 other processes 28->47 49 20 other processes 30->49 51 21 other processes 32->51 53 20 other processes 34->53 process9 signatures10 95 Uses whoami command line tool to query computer and username 38->95 55 conhost.exe 38->55         started        57 whoami.exe 38->57         started        59 conhost.exe 43->59         started        61 WMIC.exe 43->61         started        63 conhost.exe 45->63         started        65 WMIC.exe 45->65         started        67 conhost.exe 49->67         started        69 ipconfig.exe 49->69         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20/
Threat name:
Win64.Trojan.WinGGo
Create hunting rule
Status:
Malicious
First seen:
2022-02-16 12:52:14 UTC
File Type:
PE+ (Exe)
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xnpmkz2a7duz7zf7lnb6p7l5w5owpctsopoudadawyiomamfzqqa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence spyware stealer upx
Link:
https://tria.ge/reports/220216-p3284abfg8/
Behaviour
Checks processor information in registry
Gathers network information
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Program crash
Drops file in Windows directory
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Reads user/profile data of web browsers
Downloads MZ/PE file
Drops file in Drivers directory
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Unpacked files
SH256 hash:
bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20
MD5 hash:
e804bf3e7b1395a2a3d348d5e4b0d1f4
SHA1 hash:
e66843707cb7302f4b409634af76fa2571b422cc
Link:
https://www.unpac.me/results/1fa8d495-bf6e-4d15-a5c8-c0b51f9308b3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bb5ec56740f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_References_CryptoWallets
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many cryptocurrency mining wallets or apps. Observed in information stealers
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Hive

Executable exe bb5ec56740f8e99fe4bf5b43e7fd7db75d678a7273dd418060b610e60185cc20

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2037738/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/241905/

Comments