MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
SHA3-384 hash: e32171fd93016c2c6d8ec338ff7a720c63e7094a53f04406a18ed3e3a74211d1ee74d9992c0cab27b34614f04900aed6
SHA1 hash: 367aa25deffe5b4c0820af3c2467f3dca54d7297
MD5 hash: c1e918bab92dc5f1dcabe1fc2f9b6981
humanhash: edward-michigan-bravo-washington
File name:Malwarebytes-Setup.exe
Download: download sample
File size:1'392'469 bytes
First seen:2020-09-03 14:43:00 UTC
Last seen:2020-09-03 15:57:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:053uhF4ccjXB476PaZQrB982KfkVxLmtzs0EpRAYo4Jr5TaRFiWzc2MzRJd:05+hFUPaZQrX82CWxLmtzVEDqur5T0cT
Threatray 11 similar samples on MalwareBazaar
TLSH 3F55220076C940FADB9365311950A61DE4FABE3D1B27C8C3D7543E063A366E1AEFC19A
Reporter JAMESWT_WT

Code Signing Certificate

Organisation:DigiCert Assured ID Root CA
Issuer:DigiCert Assured ID Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 0CE7E0E517D846FE8FE560FC1BF03039
Intelligence: 22 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3E9099B5015E8F486C00BCEA9D111EE721FABA355A89BCF1DF69561E3DC6325C
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54818/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Searching for the window
Enabling autorun by creating a file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/458464
Signature
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281645 Sample: Malwarebytes-Setup.exe Startdate: 03/09/2020 Architecture: WINDOWS Score: 76 53 Multi AV Scanner detection for submitted file 2->53 55 Sigma detected: Drops script at startup location 2->55 57 Uses ping.exe to sleep 2->57 59 2 other signatures 2->59 9 Malwarebytes-Setup.exe 7 2->9         started        process3 signatures4 63 Contains functionality to register a low level keyboard hook 9->63 12 cmd.exe 1 9->12         started        14 cmd.exe 1 9->14         started        process5 signatures6 17 cmd.exe 2 12->17         started        21 conhost.exe 12->21         started        67 Drops PE files with a suspicious file extension 14->67 23 conhost.exe 14->23         started        process7 file8 39 C:\Users\user\AppData\...\SearchIndexer.com, PE32 17->39 dropped 61 Uses ping.exe to sleep 17->61 25 SearchIndexer.com 17->25         started        28 PING.EXE 1 17->28         started        31 PING.EXE 1 17->31         started        33 certutil.exe 2 17->33         started        signatures9 process10 dnsIp11 65 Drops PE files with a suspicious file extension 25->65 35 SearchIndexer.com 6 25->35         started        47 127.0.0.1 unknown unknown 28->47 49 192.168.2.1 unknown unknown 28->49 51 UKL.UVLJR 31->51 signatures12 process13 dnsIp14 45 JYdpMxmnJaadw.JYdpMxmnJaadw 35->45 41 C:\Users\user\AppData\Roaming\...\cousl.com, PE32 35->41 dropped 43 C:\Users\user\AppData\Roaming\...\cousl.url, MS 35->43 dropped file15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803/
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-09-03 08:37:51 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
23e87924005aeef08ab3c9402aa749c0373ed9fa6c1706c13ca1df5ec33f8928
637d172395f876a73f77476c2ab1261e289b8f12395110627a7c93583b11c868
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
ab6c220ed37a3771afb540e7b1179aea65119d6e3da91d55af7f659f61541f42
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200903-acgwg2bgwe/
Behaviour
Checks processor information in registry
Runs ping.exe
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
JavaScript code in executable
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
UPX packed file
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54818/

Comments