MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8
SHA3-384 hash:	bfe5b70ee8477ab38dc2260c2508a54da836ca75f197037364d48c96e6ade1d880aa4a74298436f029717f571fd00857
SHA1 hash:	cf6f14bf4c4a2458e290658e71238910c8b54f0d
MD5 hash:	f1c967a3b91f3c7e6f64438cd5c08bd3
humanhash:	twelve-violet-romeo-florida
File name:	Setup.exe
Download:	download sample
File size:	7'697'936 bytes
First seen:	2022-08-19 12:36:29 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eab4e488333ce74fa1cf2f5b6a84f4b (2 x CoinMiner)
ssdeep	196608:O0EcuhyVMAGt0lpKtzrZkXQlc1MdrL6zdjD2dv30o+Z2ESP:ZGdt0lpAZkX8N8djD2J3UZLa
Threatray	50 similar samples on MalwareBazaar
TLSH	T10076332EEA754CBFEFED917A2A2C29BC42580C2648ACCB440E8F5E5A0D375F5315B570
TrID	45.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.3% (.EXE) OS/2 Executable (generic) (2029/13) 18.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

288

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/299770/

Detection(s):

SecuriteInfo.com.Variant.Cerbu.148142.19369.26652.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for analyzing tools

Searching for the window

Creating a window

Sending a custom TCP request

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/62ff8430eb0bf1e2c6ef7ec1/reports/5f24f3f2-11e4-47dd-bc51-cff150dd818f/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/948131b7-a2be-4b0f-be4a-c4a48947b5cb

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/1054377

Signature

Antivirus / Scanner detection for submitted sample

Binary is likely a compiled AutoIt script file

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Uses Windows timers to delay execution

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8/

Threat name:

Win64.Trojan.Cerbu

Status:

Malicious

First seen:

2022-07-27 22:34:56 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xptx5crng4juhmyxncfghzjab6i6gmbyzaf53wbliggykmzhqs4a._file

Verdict:

unknown

54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e

68706f1c7fd143b8b87788aff9018f8c6314d4215683402e2648d2f3b769eab4

8f5b300680db95b545347229941acb9113690ab187cd7ac7b2cc601b9e31a205

99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd

b464b774eb8a0f033ded0b5d0765f526cfbb4c38452c13e096f03dc7c8025094

cb83f7793fb45301ea771d25d9b47f50e00e9a0b2faf41f483dac3be63eeb15d

dca68095317df735cbaac8724a3d4af4aa504d1b58e30699388b67ec44a0e5b8

e718fda21871d54c4bade2114a35411b639bee1afe21ef5c5c9a608e72337a9d

+ 40 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion themida trojan

Link:

https://tria.ge/reports/220819-ptf99sgba2/

Behaviour

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks whether UAC is enabled

Checks BIOS information in registry

Themida packer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Unpacked files

SH256 hash:

bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8

MD5 hash:

f1c967a3b91f3c7e6f64438cd5c08bd3

SHA1 hash:

cf6f14bf4c4a2458e290658e71238910c8b54f0d

Link:

https://www.unpac.me/results/f76df2ba-0b6c-4403-8add-582c675130a2/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.20

Link:

https://yomi.yoroi.company/submissions/bbe77e8a2d371343b317688a63e5200f91e33038c80bddd82b418d85332784b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	INDICATOR_EXE_Packed_Themida Create hunting rule
Author:	ditekSHen
Description:	Detects executables packed with Themida

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/299770/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample