MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
SHA3-384 hash: dca2cf2ce35645bf9bc8e5edfc8289b4feda2307840bcff7e41fcb7b7b9000db4d0d359edf828728afb08e6d5d2445a3
SHA1 hash: f07d81c1b34bbb462d4903b2165a0c3291a32172
MD5 hash: 1c3406d0ddb9dc1d6e431f4d34d4e70e
humanhash: potato-maine-april-queen
File name:1c3406d0ddb9dc1d6e431f4d34d4e70e.exe
Download: download sample
File size:351'232 bytes
First seen:2020-11-19 06:06:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d7563a2579d4391796e271b5314b47a9
ssdeep 6144:D3ikltLDWR21C/507aNuIcYorhfCDrsqIWS7meOqAOV/zPDAcamEDnB0sGu9j1Ju:DHltLDWRImwHoDQqIWS7mO3FEDB0sGay
Threatray 5 similar samples on MalwareBazaar
TLSH 58740122B280C032D18669354D26CA755EB6FCB6862586CB7BC52B7D9F307D2DB32707
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/542243
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320220 Sample: SsTOB32ZJY.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 96 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 2 other signatures 2->63 7 SsTOB32ZJY.exe 17 2->7         started        process3 dnsIp4 55 4cnx9s25gsvw.top 45.139.186.121, 49769, 49770, 80 HostingvpsvilleruRU Russian Federation 7->55 49 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 7->49 dropped 51 C:\ProgramData\...\appconfig.dll, PE32 7->51 dropped 65 Detected unpacking (changes PE section rights) 7->65 67 Detected unpacking (overwrites its own PE header) 7->67 69 Contains functionality to detect sleep reduction / modifications 7->69 12 cmd.exe 1 7->12         started        15 cmd.exe 1 7->15         started        17 cmd.exe 7->17         started        19 7 other processes 7->19 file5 signatures6 process7 dnsIp8 71 Uses cmd line tools excessively to alter registry or file data 12->71 23 conhost.exe 12->23         started        25 reg.exe 12->25         started        27 timeout.exe 12->27         started        29 conhost.exe 15->29         started        31 reg.exe 1 1 15->31         started        33 conhost.exe 17->33         started        35 reg.exe 17->35         started        53 192.168.2.1 unknown unknown 19->53 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->45 dropped 47 3 other malicious files 19->47 dropped 37 conhost.exe 19->37         started        39 timeout.exe 1 19->39         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 18:24:00 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-e14l9s51zx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
MD5 hash:
1c3406d0ddb9dc1d6e431f4d34d4e70e
SHA1 hash:
f07d81c1b34bbb462d4903b2165a0c3291a32172
Link:
https://www.unpac.me/results/2e40e9d6-9a3e-4b5d-929b-00c6d8d1b0ea/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/2e40e9d6-9a3e-4b5d-929b-00c6d8d1b0ea/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments