MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce
SHA3-384 hash: 2fc05d6287dc04f925ac05540f6d7b89a96e10b50c640526644d4bca183e55077b20d9f0ebc0d240ae2fedd428d1c3eb
SHA1 hash: b50d28f58d0892708db4ca09658547fba013f73d
MD5 hash: f6a627b01b8ac665add87b047e732613
humanhash: virginia-july-west-minnesota
File name:f6a627b01b8ac665add87b047e732613.exe
Download: download sample
File size:1'271'296 bytes
First seen:2021-10-08 11:50:11 UTC
Last seen:2021-10-08 13:18:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:8JIAmP4P4PmhPXkuRK04wly2uFUGLEWa1k8RWwM:mzmP4PwOP8olNLEra
Threatray 67 similar samples on MalwareBazaar
TLSH T18C45239F5155E5A1C3368B36598720C937C17CA4A6224482EC3EF94ECEBD6B04FBE631
File icon (PE):PE icon
dhash icon 71e888e8cce869b2 (7 x AsyncRAT, 2 x RemcosRAT, 1 x CoinMiner.XMRig)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
256a1a52b691f3564d7ceaa9f6a1eaf4.exe
Verdict:
Malicious activity
Analysis date:
2021-10-08 11:35:12 UTC
Tags:
trojan stealer raccoon loader vidar rat azorult
Link:
https://app.any.run/tasks/56aa295c-30f6-423a-b175-492121c2c4bd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196134/
Detection(s):
SecuriteInfo.com.ArtemisF6A627B01B8A.30316.27560.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/616030a8e3d213d202bb809f/reports/b1634f3e-46e8-4c1a-8cd7-dde1664e151e/overview
Result
Threat name:
IPack Miner
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/867060
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected IPack Miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499492 Sample: frF39bBsa7.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 96 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected IPack Miner 2->36 38 Machine Learning detection for sample 2->38 40 2 other signatures 2->40 6 frF39bBsa7.exe 1 4 2->6         started        10 winda.exe 1 2->10         started        12 winda.exe 2->12         started        process3 file4 22 C:\Users\user\AppData\Roaming\winda.exe, PE32+ 6->22 dropped 24 C:\Users\user\AppData\...\aspnet_compiler.exe, PE32+ 6->24 dropped 26 C:\Users\user\...\winda.exe:Zone.Identifier, ASCII 6->26 dropped 28 C:\Users\user\AppData\...\frF39bBsa7.exe.log, ASCII 6->28 dropped 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 46 Modifies the context of a thread in another process (thread injection) 6->46 14 aspnet_compiler.exe 16 2 6->14         started        48 Machine Learning detection for dropped file 10->48 50 Injects a PE file into a foreign processes 10->50 18 aspnet_compiler.exe 3 10->18         started        20 aspnet_compiler.exe 2 12->20         started        signatures5 process6 dnsIp7 30 82.102.27.195, 46017, 49825 M247GB United Kingdom 14->30 32 185.215.113.77, 49832, 80 WHOLESALECONNECTIONSNL Portugal 14->32 52 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->54 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-10-08 11:51:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
1d7bd4569c9c65e200191f37c4880af45b409a145ad9e883cd6699f76bcd5262
295962c0e6b38d7e1cde167e3c8479ab2332ab5c136076c3e537316283f28007
618c78fbf67d014137470a93c49571272e7777ce49ab31ccbf47ec11739ef822
906c931107ffb66c345dae2afa253b71ff21ae420348cc44f36de0bbe3921386
a75a498d8ec7bf58a12c07fac6ad98c5581a422cca03fa3ca87b01677f37247e
bcc8c0f61a1dfdfd76ebe02523c3eef4362cb7fb3413b24a7632a2262219a589
d19dc1aef457a11c415d41b9bec1f6e7679b20aacc6771f789c66701be2d9a10
e95d8b2d7c80f9b47d7c3fb368256962c357404e85f45701a473b6354ca18133
eae7adaac2b1487116d7357378d26e226b0786092d4000825685a587673f09ec
+ 57 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211008-nz6xfaeben/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce
MD5 hash:
f6a627b01b8ac665add87b047e732613
SHA1 hash:
b50d28f58d0892708db4ca09658547fba013f73d
Link:
https://www.unpac.me/results/515d16a5-0050-449d-87ca-94c3819b8ed3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.79
Link:
https://yomi.yoroi.company/submissions/bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bbabc0cb29dc697735ab4b2d4285e9bb608f992393b734b7b20d4a4ba42a75ce

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1652991/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196134/

Comments