MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA File information Comments

SHA256 hash:	c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e
SHA3-384 hash:	538de1bf2efa7f6d38de46b3c32883be2e8bfecec26fea1c425959ff9a3605325e617f6e012616426af60e1e3b1ca937
SHA1 hash:	37d1ffce2b3b3c65aef9ff729472f78f13293bb5
MD5 hash:	d1761bd51f08057c193beb72642a3b98
humanhash:	fix-north-xray-moon
File name:	file
Download:	download sample
File size:	2'263'563 bytes
First seen:	2023-10-05 19:47:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1d0e3506c01cb61e9312cbea4911e92e
ssdeep	49152:UJGihWdOzS3LVCjfNqmfzohFxK/JLmampPx9t7gdijWLHv+p5:UIiuR3RKC8R6aCPx9hUiCDv+p5
Threatray	19 similar samples on MalwareBazaar
TLSH	T1C5A533413ED685BEC6136330B1A9BB616ABEC31A43131EE387E04F195BB85C3C53A55B
TrID	33.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 21.3% (.EXE) Win64 Executable (generic) (10523/12/4) 13.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 10.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.1% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	848c5454baf47474 (2'088 x Adware.Neoreklami, 101 x RedLineStealer, 33 x DiamondFox)
Reporter	jstrosch
Tags:	exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

299

Origin country :

US

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.26379.24127.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Running batch commands

Launching a process

Сreating synchronization primitives

Creating a process with a hidden window

Sending a custom TCP request

Searching for the window

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

installer lolbin overlay packed sfx shell32

Link:

https://www.filescan.io/uploads/651f12f6426c8727d6ef95bd/reports/47a1f420-d162-4770-ab49-f46f1cc6370d/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/689fd4d1-7e87-4040-9ff8-2c898697d841

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1320551

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e/

Threat name:

Win32.Trojan.Zenpak

Status:

Malicious

First seen:

2023-10-05 19:48:08 UTC

File Type:

PE (Exe)

Extracted files:

8

AV detection:

14 of 23 (60.87%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ya4j3ete4xc7xhe4bn6oxu5lpkpqiriy2p6jda4jnspidqe6nfpa._file

Verdict:

malicious

Similar samples:

5344cc76afc8f58370fc8b0060d3b0a6ee4e623678cc0a9ccd3240e7c26e3371

541a6dd0d681646d8fb14d1e50f15ba49a30ea0dba612101dc43a79fe6571860

5d4111d129f9502329b4da06459f6bfbc4c55a9bd033d8cd4566cb4018887162

60d03b11f7e06c9b3b2bed8c0d2336098b581988f597dc90e0149254d40a7f4d

976ea53789f952c3a9f99edfef1df5e11f9fb8bcc46e36f2666313041987ca18

97775b6d80535de7482269ee9bb7374f33ce99a9b500fac1eb9235295d655999

b6c7f66593503ce7de53dec372a3407ab0c0ed221007eac96e44dd9b9488df0d

d1ef6523758dd7695999c252c63b8dc8ffac74c4b1a672457a1780a9c812d03c

dab14b76fee0692f60331ed4cdc8600c1f5b0c0f9acc4d041ef0cd67b2487124

e68fd4f565a2dbbe16812c3cccc33e5bf2fe226ca51a6785351d778768b96663

+ 9 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231005-yh4qvseh4s/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Unpacked files

SH256 hash:

c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e

MD5 hash:

d1761bd51f08057c193beb72642a3b98

SHA1 hash:

37d1ffce2b3b3c65aef9ff729472f78f13293bb5

Link:

https://www.unpac.me/results/fe77887f-e845-4825-95f1-a9dca35d8025/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe c0389d9264e5c5fb9c9c0b7cebd3ab7a9f044518d3fc9183896c9e81c09e695e

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/2715154/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample