MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Spambot.Kelihos


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84
SHA3-384 hash: 099039345d83cf903e5d9d4dd9b5614ec609479ce9326c67d7d7a2caf9cdfae0f558fdeb555af80fd036d93e73cdf8df
SHA1 hash: ca0c0381d3280344059396cdabcccf824fce6bce
MD5 hash: 6df3f2576aadf922fd460be1b646d866
humanhash: two-friend-mockingbird-low
File name:6DF3F2576AADF922FD460BE1B646D866.exe
Download: download sample
Signature Spambot.Kelihos
Create hunting rule
File size:2'621'440 bytes
First seen:2024-02-10 19:50:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0980a5bdf7b225ee6a859c0ebee6a4b5 (4 x Amadey, 2 x RedLineStealer, 1 x LummaStealer)
ssdeep 49152:+WxPSbZNZwLlFfceCJpP4bc4NcZ2eaMyuhepgMWhHraukM8wY2Gk:gNbArfmuwvZ2ewRpU5aukyY2
TLSH T17DC5338454082FF9CC7C0CB8D4B8A23116B949EF107C15AB5EAD248B761FF6957E3A39
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe Spambot.Kelihos


Avatar
abuse_ch
Spambot.Kelihos C2:
http://5.42.64.44/BlsSwk93eX/index.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Amadey
Create hunting rule
Link:
https://www.capesandbox.com/analysis/475706/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
enigma enigma lolbin packed packed shell32
Link:
https://www.filescan.io/uploads/65c7d3a754f1a1b63b68b63d/reports/a5c28bb5-8189-469d-a188-9d8233a5cced/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f11c8311-d8b8-4b55-8f9a-d73ae84c7cfc
Result
Threat name:
LummaC, Amadey, LummaC Stealer, PureLog
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1390200
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Detected Stratum mining protocol
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
LummaC encrypted strings found
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Capture Wi-Fi password
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected AntiVM3
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390200 Sample: Bbd9GbGTz6.exe Startdate: 10/02/2024 Architecture: WINDOWS Score: 100 123 triangleseasonbenchwj.shop 2->123 125 secretionsuitcasenioise.shop 2->125 127 5 other IPs or domains 2->127 167 Snort IDS alert for network traffic 2->167 169 Multi AV Scanner detection for domain / URL 2->169 171 Found malware configuration 2->171 173 23 other signatures 2->173 10 explorgu.exe 1 38 2->10         started        15 Bbd9GbGTz6.exe 5 2->15         started        17 dota.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 147 185.215.113.32, 49729, 49730, 49732 WHOLESALECONNECTIONSNL Portugal 10->147 149 193.233.132.167, 49731, 80 FREE-NET-ASFREEnetEU Russian Federation 10->149 153 2 other IPs or domains 10->153 109 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 10->109 dropped 111 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 10->111 dropped 113 C:\Users\user\AppData\Local\...\File300un.exe, PE32 10->113 dropped 119 13 other malicious files 10->119 dropped 227 Multi AV Scanner detection for dropped file 10->227 229 Detected unpacking (changes PE section rights) 10->229 231 Contains functionality to inject code into remote processes 10->231 21 dota.exe 10->21         started        26 lumma123142124.exe 10->26         started        28 daissss.exe 10->28         started        36 4 other processes 10->36 115 C:\Users\user\AppData\Local\...\explorgu.exe, PE32 15->115 dropped 233 Hides threads from debuggers 15->233 151 127.0.0.1 unknown unknown 19->151 117 C:\Users\user\AppData\Local\...\Login Data, SQLite 19->117 dropped 30 WerFault.exe 19->30         started        32 WerFault.exe 19->32         started        34 msedge.exe 19->34         started        file6 signatures7 process8 dnsIp9 135 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 21->135 137 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 21->137 139 ipinfo.io 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->139 99 C:\Users\user\...\ruDIY_Czzft32qPaP36L.exe, PE32 21->99 dropped 101 C:\Users\user\...\Z2o5j0FZGuSk7fLi7fG3.exe, PE32 21->101 dropped 103 C:\Users\user\...\QVZ1ueQSaU4r8JTWcCpj.exe, PE32 21->103 dropped 107 8 other malicious files 21->107 dropped 201 Detected unpacking (changes PE section rights) 21->201 203 Contains functionality to check for running processes (XOR) 21->203 205 Binary is likely a compiled AutoIt script file 21->205 223 4 other signatures 21->223 38 ruDIY_Czzft32qPaP36L.exe 21->38         started        41 QVZ1ueQSaU4r8JTWcCpj.exe 21->41         started        55 2 other processes 21->55 207 Multi AV Scanner detection for dropped file 26->207 209 Writes to foreign memory regions 26->209 211 Allocates memory in foreign processes 26->211 213 LummaC encrypted strings found 26->213 43 RegAsm.exe 26->43         started        46 conhost.exe 26->46         started        215 Injects a PE file into a foreign processes 28->215 48 RegAsm.exe 28->48         started        57 2 other processes 28->57 141 185.215.113.67 WHOLESALECONNECTIONSNL Portugal 36->141 105 C:\Users\user\AppData\...\wfcoyqcddpgi.sys, PE32+ 36->105 dropped 217 System process connects to network (likely due to code injection or exploit) 36->217 219 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 36->219 221 Found many strings related to Crypto-Wallets (likely being stolen) 36->221 225 4 other signatures 36->225 51 rundll32.exe 25 36->51         started        53 explorer.exe 36->53         started        file10 signatures11 process12 dnsIp13 175 Detected unpacking (changes PE section rights) 38->175 177 Tries to detect sandboxes and other dynamic analysis tools (window names) 38->177 193 6 other signatures 38->193 195 3 other signatures 41->195 155 claimconcessionrebe.shop 104.21.58.31 CLOUDFLARENETUS United States 43->155 157 liabilityarrangemenyit.shop 104.21.83.220 CLOUDFLARENETUS United States 43->157 163 3 other IPs or domains 43->163 179 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 43->179 181 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 43->181 183 Drops PE files to the startup folder 43->183 59 WerFault.exe 43->59         started        61 WerFault.exe 43->61         started        159 144.76.1.85 HETZNER-ASDE Germany 48->159 97 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 48->97 dropped 197 2 other signatures 48->197 185 Tries to steal Instant Messenger accounts or passwords 51->185 199 3 other signatures 51->199 63 powershell.exe 26 51->63         started        67 netsh.exe 2 51->67         started        161 pool.hashvault.pro 142.202.242.43 1GSERVERSUS Reserved 53->161 187 System process connects to network (likely due to code injection or exploit) 53->187 189 Query firmware table information (likely to detect VMs) 53->189 191 Binary is likely a compiled AutoIt script file 55->191 69 chrome.exe 55->69         started        72 chrome.exe 55->72         started        74 chrome.exe 55->74         started        76 10 other processes 55->76 file14 signatures15 process16 dnsIp17 121 C:\Users\user\...\246122658369_Desktop.zip, Zip 63->121 dropped 165 Found many strings related to Crypto-Wallets (likely being stolen) 63->165 78 conhost.exe 63->78         started        80 conhost.exe 67->80         started        143 192.168.2.4, 443, 49729, 49730 unknown unknown 69->143 145 239.255.255.250 unknown Reserved 69->145 82 chrome.exe 69->82         started        85 chrome.exe 72->85         started        87 chrome.exe 74->87         started        89 chrome.exe 76->89         started        91 msedge.exe 76->91         started        93 msedge.exe 76->93         started        95 msedge.exe 76->95         started        file18 signatures19 process20 dnsIp21 129 clients.l.google.com 142.250.105.102 GOOGLEUS United States 82->129 131 www.google.com 142.250.105.99 GOOGLEUS United States 82->131 133 12 other IPs or domains 82->133
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84/
Threat name:
Win32.Trojan.Deyma
Create hunting rule
Status:
Malicious
First seen:
2024-02-05 17:18:51 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z277xxmbd5qe2qp4yx6yawwezp5zfmpc7x44uzcn4a6ttokgvsca._file
Verdict:
malicious
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:redline family:risepro family:xmrig botnet:new infostealer miner spyware stealer trojan upx
Link:
https://tria.ge/reports/240210-yktnnshg86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
Blocklisted process makes network request
Downloads MZ/PE file
XMRig Miner payload
Amadey
RedLine
RedLine payload
RisePro
xmrig
Malware Config
C2 Extraction:
http://185.215.113.32
193.233.132.62
185.215.113.67:26260
Unpacked files
SH256 hash:
cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84
MD5 hash:
6df3f2576aadf922fd460be1b646d866
SHA1 hash:
ca0c0381d3280344059396cdabcccf824fce6bce
Link:
https://www.unpac.me/results/7eeab96a-f517-460a-9ece-da02a3b5281e/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cebffbdd811f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cebffbdd811f604d41fcc5fd805ac4cbfb92b1e2fdf9ca644de03d39b946ac84

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/475706/

Comments