MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f
SHA3-384 hash:	a389ebd5fcf38509b504b8eb6fbc55ac13b2a3e7232d5cf36902cfdb0fddf354fe9ef733e4439d00296284d78d9aa3ce
SHA1 hash:	a293ed1055ff00dd817d7895b890499e5b5fc814
MD5 hash:	4fed5dd1f3640bd79c42a5683bb5b98f
humanhash:	thirteen-magazine-pizza-winner
File name:	Ziraat Bankası Swift Mesajı (8).exe
Download:	download sample
File size:	958'976 bytes
First seen:	2023-04-06 10:31:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'793 x AgentTesla, 19'692 x Formbook, 12'274 x SnakeKeylogger)
ssdeep	24576:RKEGQKqwA0JdIAnbINoPPi52q2xOTKPah7Mbxb804aemnase4FvbHFMRRQCRabRp:hwHEGEMq2xOTKPuVynLeevbHFMRRQCR+
Threatray	93 similar samples on MalwareBazaar
TLSH	T1DA15BF121A634BD6D6B90D640B7879845678AF42D710633E7C83BD3F8CFBA5B50893E2
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe geo TUR ZiraatBank

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Ziraat Bankası Swift Mesajı (8).exe

Verdict:

Suspicious activity

Analysis date:

2023-04-06 10:32:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/05327128-ad66-45bc-b8bb-00ea2b987497

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/380606/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook packed

Link:

https://www.filescan.io/uploads/642e9fa3da5bf6666c9cdcf7/reports/518d3960-16aa-41da-ad96-c35f17186b70/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/69e8d793-c78c-4833-9797-faa3104f8ada

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f/

Threat name:

Win32.Trojan.Casdet

Status:

Malicious

First seen:

2023-04-06 09:51:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

16 of 36 (44.44%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xo6f6s3goctxzbyxwria2b36p7sksvtj2t2namtzr3iu5u5n347q._file

Verdict:

malicious

3ebff29a9b26f2a968315a7aada1b6aa885afd56a0d8d54e5875371c42dd3520

630f2becb05a49664975e0561dd7f4a45690c3cc1c039816c5b1961caf0c2980

a91dca5f2e89d48fdb09b37bf972be6ef686f4ae84ee01b9684ab968068d0c93

c63fb9dcc59191f33cba3ebae0c3bcb7f8b05fe4a719fb891c61144a640effc3

ce33f260e52f5ea18962a5993e4275c41f527004b57ccc48d518b4ad3b310850

d9fb5f10465038710b0e96b46a5e97d2797667c6c07c5246a4d9f49233055ed4

de19b88c284dcc4b18ea43b7e4dc96679ea39dda05016869cfd2c0aac3132a1c

f8a344532b9c8dba36b351ce752ba35853e625ac627d231a9c0cbc6db980f017

+ 83 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230406-mkyf3scf56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Unpacked files

SH256 hash:

3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a

MD5 hash:

94d1531b52774dce52a89e33646d5b1d

SHA1 hash:

29bf887b025b97bd7a9e1e261852ba824234a625

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

478b7bcf61ad5a36ef4b70a2e6d8e6b06e637d92734cc7ccb3cc3f986d516939

MD5 hash:

675856220d9e9730f3ab51d663b87ca4

SHA1 hash:

2dc36a8b39f690ee679044151ce954c6c975b61d

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

78263b569d4f9ed2016bd9c29718f62e55413cd4ca0106295c0443fafdc085d5

MD5 hash:

aef59f95e1a844e2551c8f3b4ef5a3b8

SHA1 hash:

d93e7ad3d586dfdee6b1c99db9237760671dd928

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

3c507afadbb1c31a9ebdd24baac5739d47576159e01c5e84f973c951885100aa

MD5 hash:

e79bf0e7e9d52d398e0b23b352394c68

SHA1 hash:

682325763a0ec77e0fd475ea3a4021b4651eceac

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

b6a1c7682e19607560590c8af9a917ab3d6fdceea532b123c785f86302ce9863

MD5 hash:

9cd836f8e5c9f82348ee4dcf4c382846

SHA1 hash:

58acc8b8f2565406e89caa4bfe45b53d533e0d2d

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

fa6e81c6721fe2c371b385c7490b4b7edbd084ea0e1c607ef75cd8800326f912

MD5 hash:

6d3d1b37409aa21cb18fa8649d84311a

SHA1 hash:

3777f4772f8746d3bad3770e172329f5a01a7f25

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

SH256 hash:

bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f

MD5 hash:

4fed5dd1f3640bd79c42a5683bb5b98f

SHA1 hash:

a293ed1055ff00dd817d7895b890499e5b5fc814

Link:

https://www.unpac.me/results/40fdfceb-2e15-493b-8989-3331c425c45e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe bbbc5f4b6670a77c8717b4500d077e7fe4a95669d4f4d032798ed14ed3addf3f

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/380606/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample