MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453
SHA3-384 hash: 7734854c869248703fbec85e5e8dfdfce2438c2f600cdd3a77013d8f16c65dae917944efadaaff7fa646328e0b02355b
SHA1 hash: aba5ffe29e506f0cd0ebe543c03e79a7f849d034
MD5 hash: b4c6bc95f102eae947c0c14827008ea8
humanhash: edward-blossom-five-cardinal
File name:TribusCat.exe
Download: download sample
File size:35'136'512 bytes
First seen:2023-03-01 16:49:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f0486e7e054aa57188c99b0f71783b75 (3 x NodeLoader, 2 x LummaStealer, 1 x DiscordTokenStealer)
ssdeep 393216:sQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg896l+ZArYsFRlGoQ:s3on1HvSzxAMN8FZArYsSx
Threatray 5 similar samples on MalwareBazaar
TLSH T16B779D03B2A601D5E4B7D1388AA74103D7B2B8674731DACF325D02161FBBAE09A7F765
TrID 45.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.3% (.EXE) OS/2 Executable (generic) (2029/13)
18.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.0% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon 00414f4f4f4f4700 (14 x CoinMiner, 12 x RedLineStealer, 12 x NodeLoader)
Reporter JaffaCakes118
Tags:exe signed

Code Signing Certificate

Organisation:TestCert
Issuer:TestCert
Algorithm:sha1WithRSA
Valid from:2019-12-30T06:22:24Z
Valid to:2039-12-31T23:59:59Z
Serial number: 39059e0ec525d6aa43746a661e974b23
Intelligence: 3 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 495e04d7c5c0f090a9f3a9deaa27859b7108e96e49763787b2bb9c4adf72c654
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TribusCat.exe
Verdict:
No threats detected
Analysis date:
2023-03-01 16:51:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c475af8c-13a7-4ab4-b7b8-88cb774d433e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware overlay packed
Link:
https://www.filescan.io/uploads/63ff8240bfec0852a68e3874/reports/429fd85e-096c-4e1d-a734-1dc7d5e449ed/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.expl
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1185042
Signature
Found potential ransomware demand text
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 817898 Sample: TribusCat.exe Startdate: 01/03/2023 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Dot net compiler compiles file from suspicious location 2->36 38 Found potential ransomware demand text 2->38 8 TribusCat.exe 1 2->8         started        process3 process4 10 powershell.exe 26 8->10         started        13 cmd.exe 1 8->13         started        15 powershell.exe 31 8->15         started        17 conhost.exe 8->17         started        file5 32 C:\Users\user\AppData\...\tuosr1pw.cmdline, Unicode 10->32 dropped 19 csc.exe 3 10->19         started        22 conhost.exe 13->22         started        24 chcp.com 1 13->24         started        26 conhost.exe 15->26         started        process6 file7 30 C:\Users\user\AppData\Local\...\tuosr1pw.dll, PE32 19->30 dropped 28 cvtres.exe 1 19->28         started        process8
Gathering data
Threat name:
Win64.Trojan.Lazy
Create hunting rule
Status:
Malicious
First seen:
2023-03-01 16:01:42 UTC
File Type:
PE+ (Exe)
Extracted files:
23
AV detection:
6 of 25 (24.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zvjy23erahfr5z2ck7kfidiwp3zpxvf7szexpdj4m2oq2o7worjq._file
Verdict:
unknown
Similar samples:
7b2bcaa3723a8198c9a6f0878b77c7887554079e77e5c9b8f444570be1d744f6
8120be0c1f1898fd6e923efbc135e96c60136219790c0b69714e9d9468906a86
9365c34ac64bccdf316421eb7036d4e8ff8f928161423fae14f1dc5bfda48b66
9dd2beb7cc84848cd0555fa33febf4d06d7b81e8f6927d0df074cb26559a21e4
e2d63f9f87c6a50b4c63d2a4d5620ad81e9438278883f8de7c92ca2204e753bb
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230301-vb9rrahb43/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe cd538d6c9101cb1ee74257d4540d167ef2fbd4bf9649778d3c669d0d3bf67453

(this sample)

  
Delivery method
Distributed via web download

Comments