MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbdfac8826b8d6eb2c5f01fd617d72a62c63fd4458f10cdd8ce5b16db530dfe7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Hive


Vendor detections: 6


Intelligence 6 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbdfac8826b8d6eb2c5f01fd617d72a62c63fd4458f10cdd8ce5b16db530dfe7
SHA3-384 hash: 8dc4fa68ce246011fc525ea28c096175dcdc1db482518512f7b088615b75c3824bb099be5e6dffa439fc51625bb01f3e
SHA1 hash: afa9d31e633421ff41f5f565e5c98cf8efb44b52
MD5 hash: 487edea28433a33c3c45b4ebb0dc1b3d
humanhash: moon-five-missouri-arizona
File name:changePassword.exe
Download: download sample
Signature Hive
Create hunting rule
File size:2'715'136 bytes
First seen:2022-05-26 23:18:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c7269d59926fa4252270f407e4dab043 (45 x Hive, 23 x ServHelper, 22 x CobaltStrike)
ssdeep 49152:JYXxGSuLrb/TgvO90dL3BmAFd4A64nsfJhM4UtCmgO3HWAXyD1gR4fVdUB9HCp7b:CX1Gk2WrX4k2q+gYNk
Threatray 99 similar samples on MalwareBazaar
TLSH T153C58C03BC9124F4C5E9D23289B592A13632B859073267CB3F95AABB2E737D45F38354
gimphash 067d59c58db61b5b460a8d0d1c7304ae1f9951c80f727c576318779f9370c99c
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter Anonymous
Tags:exe Hive

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
changePassword.exe
Verdict:
No threats detected
Analysis date:
2021-12-28 01:23:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ad6ff53-0b75-4f68-b110-4db19ea03565

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274849/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang packed
Link:
https://www.filescan.io/uploads/62900b03945ebb7eb17cdd02/reports/cec29008-6828-40ff-b060-d882922ca738/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/633f7bd6-f118-4733-97a7-c46ede183e57
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1002395
Signature
Queries temperature or sensor information (via WMI often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 634891 Sample: changePassword.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 26 6 changePassword.exe 2->6         started        process3 8 cmd.exe 1 6->8         started        process4 10 WMIC.exe 1 8->10         started        13 conhost.exe 8->13         started        signatures5 15 Queries temperature or sensor information (via WMI often done to detect virtual machines) 10->15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbdfac8826b8d6eb2c5f01fd617d72a62c63fd4458f10cdd8ce5b16db530dfe7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpp2zcbgxdlowlc7ah6wc7lsuywgh7keldyqzxmm4wyw3njq37tq._file
Verdict:
unknown
Similar samples:
0a7682c0607e0fcb3580d28aec0e3439d6eae0cde1ab3359832046f7f33cdb0f
Hive
10c760b38e37d7df4fdb3caa56328e51943ac422018b1261fbd4820cdaa046d3
Hive
1e4b2af07cb9e6478dbf5051e1839a1f944e950a6f2dbadc94446928e46e7d45
Hive
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
Hive
549953d5db2a4646740e721e24ec1b7fa57ef6c4d72ffa32752b17d4a65c36e4
Hive
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
Hive
e00ddba4fd34c7b0f0f2e547ee9e3ff4c0cb4d906f1ca26b17ba2e3f459c59bd
Hive
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
Hive
+ 89 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220526-3atcdaffg9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
cbdfac8826b8d6eb2c5f01fd617d72a62c63fd4458f10cdd8ce5b16db530dfe7
MD5 hash:
487edea28433a33c3c45b4ebb0dc1b3d
SHA1 hash:
afa9d31e633421ff41f5f565e5c98cf8efb44b52
Link:
https://www.unpac.me/results/70893a8d-25ad-4c4b-ba5f-c070259bb4e2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/cbdfac8826b8d6eb2c5f01fd617d72a62c63fd4458f10cdd8ce5b16db530dfe7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274849/

Comments