MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815
SHA3-384 hash: c260565a6ad7ce6d2bb697b9d6d25c87e30df8871ab330f5b8e15976ffa096961a36d4a47561aded6380cc8bf6b71ab2
SHA1 hash: 0ed8b78a25bb7efa07c0ecc1eb8798b721acf1fb
MD5 hash: 1e485adb7ce6ff476f9bde924dde95c8
humanhash: enemy-robin-maryland-lemon
File name:jli.bin
Download: download sample
Signature Ousaban
Create hunting rule
File size:7'889'408 bytes
First seen:2022-11-24 09:45:29 UTC
Last seen:2022-11-24 11:29:03 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash e13414f35ab5b1a3319609a136fffd55 (1 x Ousaban)
ssdeep 196608:EaN7DkNElkhHIZcFKKR3TUlbq2j/Yu1Q9gx4r:N9SJI6F5OAu1Q9gir
Threatray 156 similar samples on MalwareBazaar
TLSH T11A8633B333A90081E1EB9C319537FED972F6176A8B42D8BD69E65FC134221D5E702983
TrID 32.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.3% (.EXE) Win32 Executable (generic) (4505/5/1)
14.9% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
10.0% (.EXE) OS/2 Executable (generic) (2029/13)
9.9% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter JAMESWT_WT
Tags:dll ousaban

Intelligence

File Origin
# of uploads :
2
# of downloads :
185
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/338003/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.63825006.23269.1000.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/637f3d5d8a1bf55a249ca1bb/reports/5a2654a6-23d5-4ab1-8e78-7863b82a839b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9fa59033-023f-4c09-9705-eadd6a29d94d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1120414
Signature
Antivirus / Scanner detection for submitted sample
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 753129 Sample: jli.bin.dll Startdate: 24/11/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 2 other signatures 2->52 8 loaddll32.exe 1 2->8         started        11 C66Pp118.iP7.exe 2->11         started        13 C66Pp118.iP7.exe 2->13         started        15 2 other processes 2->15 process3 signatures4 62 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->62 64 Overwrites code with function prologues 8->64 66 Tries to detect virtualization through RDTSC time measurements 8->66 17 rundll32.exe 19 8->17         started        22 rundll32.exe 8->22         started        24 rundll32.exe 8->24         started        26 7 other processes 8->26 process5 dnsIp6 42 webattach.mail.yandex.net 87.250.251.147, 443, 49685 YANDEXRU Russian Federation 17->42 36 C:\C66Pp118.iP7\C66Pp118.iP7.exe (copy), PE32 17->36 dropped 38 C:\C66Pp118.iP7\python23.dll, PE32 17->38 dropped 40 C:\C66Pp118.iP7\picles.zip, PE32 17->40 dropped 54 System process connects to network (likely due to code injection or exploit) 17->54 56 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->56 58 Overwrites code with function prologues 17->58 60 Tries to detect virtualization through RDTSC time measurements 17->60 28 C66Pp118.iP7.exe 3 1 17->28         started        32 rundll32.exe 26->32         started        file7 signatures8 process9 dnsIp10 44 38.54.95.222, 49687, 80 COGENT-174US United States 28->44 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->68 70 Creates autostart registry keys with suspicious names 28->70 72 Creates multiple autostart registry keys 28->72 74 Tries to detect virtualization through RDTSC time measurements 28->74 34 WerFault.exe 20 9 32->34         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-11-23 13:38:07 UTC
File Type:
PE (Dll)
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zbxdaobbggkrjbnd6yebteim46a7dix5kwlhyflfu5egdyycnakq._file
Verdict:
malicious
Similar samples:
37923fb04b4ee3103e82cb67c78febda94b8ce7c93ef35d90bb8ff371600342b
Ousaban
411c449f978ff2425a9ee85a26157a0ba45a4895f6c1401a7c4d9a9c42c6a73b
Ousaban
6b5ac8a36a41a1220a049752119417478afd1ac433ac5b2da0e7c9560b38c52e
Ousaban
aa79b859945459fd6d1363c35e68c9d2674a78f1fdee02b8ddfab9a8fa011b48
Ousaban
c75b21d9f3189b648b2b83dae0fb48e49eb5458e8c3c5cfbdbcac460b43acc32
Ousaban
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
Ousaban
e134f20c16c2d118f95738897fc6c8f3be4ec46563ad7e1c243c3d7595a0ea68
Ousaban
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b
Ousaban
+ 146 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/221124-lrmgqaeg25/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
fed0cdaa95005be6697bbd1d8d1b065d9ef5eb934920448756aa56bcb6a034d0
MD5 hash:
a6e82e4e87c7711d241040d41cf939e7
SHA1 hash:
d0a2504225390a8b318e33f955ddf207d83fd210
Link:
https://www.unpac.me/results/5e24cffa-c14b-4548-ae01-2de248cdbb08/
SH256 hash:
c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815
MD5 hash:
1e485adb7ce6ff476f9bde924dde95c8
SHA1 hash:
0ed8b78a25bb7efa07c0ecc1eb8798b721acf1fb
Link:
https://www.unpac.me/results/5e24cffa-c14b-4548-ae01-2de248cdbb08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c86e30382131951485a3f60819910ce781f1a2fd55967c1565a74861e3026815

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/338003/

Comments