MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 8

Intelligence 8 IOCs YARA 1 File information Comments

SHA256 hash:	bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27
SHA3-384 hash:	21dca0390fa47834505d39777e986c0669f8de4bd53a2ae3859e8dc4634cd8601b36ff80f75aa37adaa82656955f8f05
SHA1 hash:	ce3b9a08bf17aaaf3ee31dce4e459af37f7a0d3e
MD5 hash:	e775bf00788d143d1a845c9c2ce48aac
humanhash:	green-missouri-december-kilo
File name:	bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27
Download:	download sample
File size:	332'768 bytes
First seen:	2022-08-04 13:51:44 UTC
Last seen:	2022-08-04 15:20:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f10e4da994053bf80c20cee985b32e29 (65 x GuLoader, 9 x RemcosRAT, 6 x QuasarRAT)
ssdeep	6144:RxFSFuV6m9BhzfSgAnS1oYWuZS76E6GE1WC4lx5HtmY4O4ZCy:FoMhzflAnS1oYWcS76JWC4FHtJ41
Threatray	4'229 similar samples on MalwareBazaar
TLSH	T15E649D496D2C90ECDC55B83DF376C05B5BEE2C07D48856E32D65FF2A20B1F42A926722
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0079fcdcbe8e8edc
Reporter	adrian__luca
Tags:	exe signed

Code Signing Certificate

Organisation:	Raglanfacons Bulkladningers Unencouraged
Issuer:	Raglanfacons Bulkladningers Unencouraged
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-02-10T22:28:31Z
Valid to:	2025-02-09T22:28:31Z
Serial number:	-667d94699d9283d9
Thumbprint Algorithm:	SHA256
Thumbprint:	7aca588e3dfa11381a2948633f7c3d7c460a622d08648aced5c116f6b00c67d9
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

401

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27

Verdict:

Malicious activity

Analysis date:

2022-08-04 13:51:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/8c00c573-b0ad-41dd-8f97-c3851eaca655

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296492/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.61073429.2587.14835.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file in the %AppData% subdirectories

Creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

buer overlay packed quasar shell32.dll wacatac

Link:

https://www.filescan.io/uploads/62ebcf8526369c88566922fa/reports/1d77d2b6-fa95-4d6d-ae81-635ddd34a99c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/c787c453-56b1-4d12-a989-a6877cb613f1

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/1046276

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27/

Threat name:

Win32.Trojan.Guloader

Status:

Malicious

First seen:

2022-07-28 15:54:48 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

19 of 26 (73.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xns4kfkfk76lm3t57enyl4bafimaczb25hpgwkzjyliwm3qinqtq._file

Verdict:

malicious

121dae49dacf1290b5ef4de577a01161b523d9edf8564fa765e7c00ac6c3b862

1a340a1a7fac27ac3b7457ae56e0aa92a493c74a4fb4507d27245293783e8edd

43f1463dd71cfcc3376f99056faf2c0ca6d35bacdd1a68db39b55c7179caf733

8de44c6d5f3c81b21ca61235a70d87c705c3b47127c9815628df1e1b1344a32b

98f3769bc2318575d1a8d3964c11a6d14b4be9aa380395f9dc3e368cbb465056

b75f0520f391edee50a5de8c5d0e65c544b8ed2da8323b42776fd0df788247d4

c1d4497629dff8c33f099d57352369ed56a081ce083a94d76b294d01b3e7479d

ccb00726db19c3c19f4d2747fdc43b1a1bb6ed8d902ed9c45caf5fae7ad0de55

e2dcc59293b027cc625930d90e7542867ee8ec34c2a25a01ca8ccbf64ba50e66

+ 4'219 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220804-q6dwcafef8/

Behaviour

Enumerates physical storage devices

Loads dropped DLL

Unpacked files

SH256 hash:

c7a20bcaa0197aedddc8e4797bbb33fdf70d980f5e83c203d148121c2106d917

MD5 hash:

792b6f86e296d3904285b2bf67ccd7e0

SHA1 hash:

966b16f84697552747e0ddd19a4ba8ab5083af31

Link:

https://www.unpac.me/results/fc0554b7-e07b-4021-b767-90fdf03eedc3/

SH256 hash:

711427242bff919c78fbba2b298b5d5898f75d73f1d7f4c4eb22badf525864a5

MD5 hash:

70ba99745542354a2efcb1c2f167b62b

SHA1 hash:

8b18bc8d3e6e52222baef7ab7ab125436ef5c966

Link:

https://www.unpac.me/results/fc0554b7-e07b-4021-b767-90fdf03eedc3/

SH256 hash:

bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27

MD5 hash:

e775bf00788d143d1a845c9c2ce48aac

SHA1 hash:

ce3b9a08bf17aaaf3ee31dce4e459af37f7a0d3e

Link:

https://www.unpac.me/results/fc0554b7-e07b-4021-b767-90fdf03eedc3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/bb65c5154557fcb66e7df91b85f0202a1801643ae9de6b2b29c2d1666e086c27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ins_NSIS_Buer_Nov_2020_1 Create hunting rule
Author:	Arkbird_SOLG
Description:	Detect NSIS installer used for Buer loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296492/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample