MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e
SHA3-384 hash: 85d9bb6cef02f0f204cdbac00d6610f507f897e758f753293022d7f334a54f10a96ed07210c2991cba0546320df84303
SHA1 hash: 56f0fe3794022324e4600301649f7a554fb22bca
MD5 hash: 94d596ff57fad4ffc1c481af3628245f
humanhash: helium-bacon-lima-freddie
File name:94d596ff57fad4ffc1c481af3628245f
Download: download sample
File size:1'465'856 bytes
First seen:2021-12-15 15:50:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0ebb3c09b06b1666d307952e824c8697 (15 x RedLineStealer, 13 x LgoogLoader, 7 x NanoCore)
ssdeep 24576:4mzy0iw7fPDqHS9ZuA2F5FQ/6sfxdDQLwsNlVsD6TcvZhY7qD8fcUzL:+qPDZ9ZuA2FfkpdDQ9U6TOZhLD
Threatray 37 similar samples on MalwareBazaar
TLSH T10E65CF42A3F94129F6F77F367EB461A90ABB7CA2BD38D29D035100AC0976A54D970733
File icon (PE):PE icon
dhash icon d4d4d000d4d6aa81
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://virtualedufairnepal.com/wp-admin/1122.exe
Verdict:
Malicious activity
Analysis date:
2021-12-07 23:41:05 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/e94385bb-c371-45f5-91f5-917c0ba3ce41

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214363/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38030323.18253.11722.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Launching cmd.exe command interpreter
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2132/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive packed
Link:
https://www.filescan.io/uploads/61ba0ee8dbe06b75d7beb120/reports/39281edd-1f61-4ea9-b8e3-be4fd058dbfb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Luminosity RAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7af74d4b-ae13-4d3b-92fc-79f218cfe76b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.expl.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/907989
Signature
Connects to a pastebin service (likely for C&C)
Creates processes via WMI
Drops PE files with a suspicious file extension
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 540467 Sample: sh8srUMTFU Startdate: 15/12/2021 Architecture: WINDOWS Score: 84 51 pastebin.com 2->51 59 Multi AV Scanner detection for submitted file 2->59 61 Sigma detected: Drops script at startup location 2->61 63 Machine Learning detection for sample 2->63 65 Connects to a pastebin service (likely for C&C) 2->65 10 sh8srUMTFU.exe 1 5 2->10         started        12 wscript.exe 2->12         started        15 bxdejuHfYB.exe.com 2->15         started        18 rundll32.exe 2->18         started        signatures3 process4 dnsIp5 20 cmd.exe 1 10->20         started        23 expand.exe 1 10->23         started        79 Creates processes via WMI 12->79 57 GPooylVndfNOlxitCtA.GPooylVndfNOlxitCtA 15->57 signatures6 process7 signatures8 67 Obfuscated command line found 20->67 69 Uses ping.exe to sleep 20->69 71 Drops PE files with a suspicious file extension 20->71 73 Uses ping.exe to check the status of other devices and networks 20->73 25 cmd.exe 3 20->25         started        29 PING.EXE 1 20->29         started        32 conhost.exe 20->32         started        34 conhost.exe 23->34         started        process9 dnsIp10 45 C:\Users\user\AppData\Local\...\Suo.exe.com, PE32 25->45 dropped 77 Obfuscated command line found 25->77 36 Suo.exe.com 25->36         started        39 findstr.exe 1 25->39         started        55 127.0.0.1 unknown unknown 29->55 file11 signatures12 process13 signatures14 75 Drops PE files with a suspicious file extension 36->75 41 Suo.exe.com 6 36->41         started        process15 dnsIp16 53 GPooylVndfNOlxitCtA.GPooylVndfNOlxitCtA 41->53 47 C:\Users\user\AppData\...\bxdejuHfYB.exe.com, PE32 41->47 dropped 49 C:\Users\user\AppData\...\bxdejuHfYB.url, MS 41->49 dropped file17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e/
Threat name:
Win32.Trojan.Bingoml
Create hunting rule
Status:
Malicious
First seen:
2021-12-11 03:43:21 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0c64aa3ccc9b4f7482dbd5f3291a82bea3607c1290fad0a91b18d7101387d185
1a14097ff774fe463491a6c444a4bf3f7419433ebfc86b511757f2f336e44b3b
1a1473655a8c5bd91dd85a303d458cae759a73b50dbc635a0f3da25dfbd17297
1a7075ca044dd3be84270c4e3a281e3708e5bd6e3499d6bf664160b73c0bd1a5
2592c39ffbe369b2a6d1cf29e90bc0d0459ac881ae5fc2425ee61aa04ff2e97a
49fe6c1cce117dc28884b4713f1583af943af16dd936f760c46b1aedfdad75ca
4f8ce35ede11311d3929f003252184cd364046fb0bbddb083688a57c672acf38
68619800ea68b58b9275cdcbe751c97dc56c700e4cc1343dd28e7525fb2e7a2a
a127a597c69f6084d2076b1f4853404dff77dfb5a1e4f1e8d57516ab035ab0f7
+ 27 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211215-tagtxaaggk/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
b9275931568b34f240a05ec4633118d828d12a6c96d8560a9363c9fd07669b65
MD5 hash:
92b5f8346cf4bb2d5ac0e17a05878d1b
SHA1 hash:
02630f5da6e6bf4a2511a58a3ae0ca05d8dd7b21
Link:
https://www.unpac.me/results/3784b479-d656-4dd2-add4-19338683c051/
SH256 hash:
bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e
MD5 hash:
94d596ff57fad4ffc1c481af3628245f
SHA1 hash:
56f0fe3794022324e4600301649f7a554fb22bca
Link:
https://www.unpac.me/results/3784b479-d656-4dd2-add4-19338683c051/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe bfb6f5d5b0ce02091b60a21fb8fdde4dfb1ef824293c85d05caadbeb9b08746e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1887818/
Cape
Cape
https://www.capesandbox.com/analysis/214363/

Comments


Avatar
zbet commented on 2021-12-15 15:50:43 UTC

url : hxxps://virtualedufairnepal.com/wp-admin/1122.exe