MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Zeppelin


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613
SHA3-384 hash: 45938558ad491731041f7d1c3a1e4ccdd1086dc5fe732438cd72f1e30dd49568a1cc5aebf2c7b415d8ccc3ae894c1272
SHA1 hash: 784cd96f84118f1579d0cd4588d014121d9e827e
MD5 hash: 081f407a4769f34c74ac26da39627a00
humanhash: pennsylvania-nineteen-grey-georgia
File name:081f407a4769f34c74ac26da39627a00
Download: download sample
Signature Zeppelin
Create hunting rule
File size:388'096 bytes
First seen:2021-11-29 13:36:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f0b538abbe574275afcdf5200fd4d28 (2 x RedLineStealer, 1 x Tofsee, 1 x ArkeiStealer)
ssdeep 6144:7/EwEWSwCyYYJIp/LlQRt6IYJ5aMNz3e/1VKiUuJRpwGYu+:DIwCyQpTlQRt6IYJ5aMNzIVowRHYu
Threatray 45 similar samples on MalwareBazaar
TLSH T18884BF10A7B0C039F1B716F499BB9379B63F7AA1672890FB52D116EA4634AE0DC31347
File icon (PE):PE icon
dhash icon 5012b0e068696c46 (8 x RaccoonStealer, 8 x RedLineStealer, 6 x Smoke Loader)
Reporter zbetcheckin
Tags:32 exe Zeppelin

Intelligence

File Origin
# of uploads :
1
# of downloads :
205
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
081f407a4769f34c74ac26da39627a00
Verdict:
Malicious activity
Analysis date:
2021-11-29 13:37:28 UTC
Tags:
ransomware zeppelin evasion trojan
Link:
https://app.any.run/tasks/8acf527e-e2fa-4afc-8643-7ba5e81b31a4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Variant.Jaik.49601.1424.20239.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/120/overview
Behaviour
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed zeppelin
Link:
https://www.filescan.io/uploads/61a4d780c4c531414821c798/reports/0445d095-946b-4905-8ecf-474baf1b537c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RaRansomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac4e85f1-1631-4b36-9bf4-2583b6b203fe
Result
Threat name:
Zeppelin
Create hunting rule
Detection:
malicious
Classification:
rans.troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/897885
Signature
Contains functionality to inject threads in other processes
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Zeppelin Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 530363 Sample: EbnkVHjGin Startdate: 29/11/2021 Architecture: WINDOWS Score: 92 39 www.geodatatool.com 2->39 41 geoiptool.com 2->41 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 7 EbnkVHjGin.exe 2 18 2->7         started        signatures3 process4 dnsIp5 43 www.geodatatool.com 158.69.65.151, 443, 49813, 49814 OVHFR Canada 7->43 45 geoiptool.com 7->45 21 C:\Users\user\AppData\Roaming\...\spoolsv.exe, PE32 7->21 dropped 23 C:\Users\user\...\spoolsv.exe:Zone.Identifier, ASCII 7->23 dropped 55 May check the online IP address of the machine 7->55 57 Contains functionality to inject threads in other processes 7->57 59 Drops PE files with benign system names 7->59 12 WerFault.exe 9 7->12         started        15 WerFault.exe 9 7->15         started        17 WerFault.exe 9 7->17         started        19 7 other processes 7->19 file6 signatures7 process8 file9 25 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->25 dropped 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->27 dropped 29 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->29 dropped 31 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->31 dropped 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->35 dropped 37 3 other malicious files 19->37 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613/
Threat name:
Win32.Trojan.Strab
Create hunting rule
Status:
Malicious
First seen:
2021-11-27 21:45:27 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xyf4ttl7z3oxgwptypumuicgwgnnztt3cadvnzjj2yfih6njmyjq._file
Verdict:
malicious
Similar samples:
15e3107a2c30da16832db6f9cdadd38c7a202d72b6a43899b9642d3b695d6f50
Zeppelin
43812b98e4f9480d25b426a23a7b4d2a4e498110545c7a3cb21159bf75c18e7b
Zeppelin
45c7c5d62ca2525ac1da111fb3388cb381c24c974eba1ca3681ef07b10ef7b77
Zeppelin
4f87fefc9bf667f1d60e9ac07bdcf91013d609b8222b6d1b2995706f7ece1b07
Zeppelin
78f958d430a4dec84e4126958d0bde722beab77f03f1ecd733ba94827997dec7
Zeppelin
824a76c39895bc3ad4f5dfc27fc3ac80d26514118c4669505a1f0cfdc8fdbcdc
Zeppelin
9535b07e3af3a051c0de3169f11aed4e5f7dd52d651e739f16db250bc631def5
Zeppelin
d67091e8079d0dcf4f3962628e4f7520309a8111750082218c3be89a8fa70e3d
Zeppelin
d76782960590abc182dba8fdcdc8bfb121b13d36be2d5d8b0960fb67960e89b1
Zeppelin
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/211129-qws8aafbe6/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateProcessExOtherParentProcess
Unpacked files
SH256 hash:
522d6e25e6b7062786b699c76d46c2a510d94ca0760447a1d0951a6718fc9774
MD5 hash:
82663d9b96e1cb72bab78a9f56a50678
SHA1 hash:
29a5bd379073cd3073764a4f45fac283b0febcd2
Detections:
win_zeppelin_auto
Create hunting rule
Link:
https://www.unpac.me/results/27b1f0bb-c7af-4e2d-a0c6-57ab3e14eefc/
SH256 hash:
be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613
MD5 hash:
081f407a4769f34c74ac26da39627a00
SHA1 hash:
784cd96f84118f1579d0cd4588d014121d9e827e
Link:
https://www.unpac.me/results/27b1f0bb-c7af-4e2d-a0c6-57ab3e14eefc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_Zeppelin
Create hunting rule
Author:ditekSHen
Description:Detects Zeppelin (Delphi) ransomware
Rule name:Ran_Buran_Oct_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect Buran ransomware
Reference:https://twitter.com/JAMESWT_MHT/status/1323956405976600579
Rule name:Win32_Ransomware_Zeppelin
Create hunting rule
Author:ReversingLabs
Description:Yara rule that detects Zeppelin ransomware.
Rule name:win_zeppelin_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:win_zeppelin_ransomware_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator
Rule name:Zeppelin
Create hunting rule
Author:@bartblaze
Description:Identifies Zeppelin ransomware and variants (Buran, Vega etc.)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Zeppelin

Executable exe be0bc9cd7fcedd7359f3c3e8ca2046b19adcce7b100756e529d60a83f9a96613

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1832536/

Comments