MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e
SHA3-384 hash: 98ad454ec6715030d25f6c6912e4600959e5ca2365f18a4f66f909aed03ef47da872d6644ace51c0dba7efc26e509033
SHA1 hash: ea2e6c934d6beeba92e230b919fcd1429b07ff71
MD5 hash: 2fe56b5f4728f2fd8839ac9d937c097d
humanhash: november-august-bravo-paris
File name:2fe56b5f4728f2fd8839ac9d937c097d
Download: download sample
File size:3'131'904 bytes
First seen:2023-07-05 03:50:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:dz+bXZnWLve+zZBXl+hAaeu3qmOPfXX8uZ4IqVhtjOMA+nTTMmIynfAXPNQ44eCJ:xQmGKXlfJutnTbfVGn
Threatray 788 similar samples on MalwareBazaar
TLSH T109E59F346EF91C1EF6A29A3EAADB5E51939698613223734BF34333330D06A1DDE191D4
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter zbetcheckin
Tags:64 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
291
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2fe56b5f4728f2fd8839ac9d937c097d
Verdict:
Malicious activity
Analysis date:
2023-07-05 03:52:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c52395ef-529a-481e-89c6-18cc4bccbc4b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/407346/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.67899333.26031.15589.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching the process to interact with network services
Creating a file in the Windows subdirectories
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm warp
Link:
https://www.filescan.io/uploads/64a4e8aedfc53aa652de8643/reports/70f9ce1a-869b-42e9-baad-a202d5809729/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/931e4efc-8db0-4e9e-ab67-e5db5ea7176f
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1266907
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266907 Sample: VPVEoEsoBe.exe Startdate: 05/07/2023 Architecture: WINDOWS Score: 80 24 Multi AV Scanner detection for domain / URL 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 3 other signatures 2->30 7 VPVEoEsoBe.exe 4 2->7         started        process3 file4 20 C:\Users\user\AppData\...\VPVEoEsoBe.exe.log, CSV 7->20 dropped 10 cmd.exe 1 7->10         started        process5 signatures6 32 Suspicious powershell command line found 10->32 13 curl.exe 1 10->13         started        16 powershell.exe 12 10->16         started        18 conhost.exe 10->18         started        process7 dnsIp8 22 upload.nugeta.net 104.21.18.189, 443, 49679 CLOUDFLARENETUS United States 13->22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-01 04:20:48 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yxcbl4qbosmjiml3acrhmboqi3hr2zsz6y2wgv5pgasp2caiospa._file
Verdict:
malicious
Similar samples:
0479683ff6d420fc73b1b229615dce2b94d896ca839747e2c7ca94a258b8ccfd
148bdd903b1b65b6aaf19594068b7d932938292904aa310e3acfd2e73b32a731
501cd8b97f8f05211634cdb5eeb69b195870bd42a9bb40c42b1af2229a8f9b15
5a6f5d425060a2bfc152e1c2673991151e8863354deb3c4febd60ce42a80f35e
9ceef6a61f77d5e5c9d65e5eff7c2ede91cd236839c09830322faf841167a5e3
ad48e21de164d9089b94772d592ae72317f8aca3307c58d29dd798f0084450ba
c515446567eb17bbcfcef6bf1a4ed436674df485b5b77b877ab83ac157b60808
d385de6cbbad786bf6c6e26ca145f659861aad701780e324bc139bd9f843b85d
+ 778 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230705-eeg8xaad33/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e
MD5 hash:
2fe56b5f4728f2fd8839ac9d937c097d
SHA1 hash:
ea2e6c934d6beeba92e230b919fcd1429b07ff71
Link:
https://www.unpac.me/results/0aa9dfe5-7078-4bab-aa3c-266839a71be3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe c5c415f201749894317b00a27605d046cf1d6659f6356357af3024fd0808749e

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2676812/
Cape
Cape
https://www.capesandbox.com/analysis/407346/

Comments


Avatar
zbet commented on 2023-07-05 03:50:57 UTC

url : hxxps://upload.nugeta.net/uploads/trapline-drivers.exe