MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d
SHA3-384 hash: 4899df30ac67b3783f645b8c66c13073844169dc1abf21417a9fdcfc3bde7299d45845d8baead607fd0e7d84131cec00
SHA1 hash: ec05c8dd0ffb1aae26557a47a0ab552f966fcadf
MD5 hash: 831bbabfcd2487c10c13fbdd6ab35641
humanhash: ten-michigan-summer-oregon
File name:BBIOHV.eXE
Download: download sample
File size:1'237'089 bytes
First seen:2021-12-14 16:41:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 24576:hZ7Xar2VsBq/OebtXkkyvxjXx7uGebB92G44f/czKenXI1xyKnC:NsGzSjX1uN9T4nZY1xyKC
Threatray 1'215 similar samples on MalwareBazaar
TLSH T121451232FAC584B1D5732C3559F8C731AA3C7C202F648F5EA7E43A1EAE705814625BA3
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter iam_py_test
Tags:exe spyware

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup_x86_x64_install.exe
Verdict:
Malicious activity
Analysis date:
2021-10-30 11:12:56 UTC
Tags:
trojan rat redline evasion loader opendir stealer vidar formbook
Link:
https://app.any.run/tasks/ecceda49-b798-4607-bce9-bb9522b824c5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214041/
Detection(s):
SecuriteInfo.com.Generic.mg.7118444d587a1d65.31770.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Launching a process
Launching cmd.exe command interpreter
Creating a process with a hidden window
DNS request
Creating a file in the %temp% directory
Delayed writing of the file
Creating a process from a recently created file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/61b8c95fdb84542d41bec03a/reports/9fd4f304-e2b3-42ee-babb-2e0d1dd55a3e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5257c38-ed27-4ce8-8df1-7acf0c6ab018
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/907242
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 539716 Sample: BBIOHV.eXE Startdate: 14/12/2021 Architecture: WINDOWS Score: 76 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 28 Sigma detected: Mshta Spawning Windows Shell 2->28 30 2 other signatures 2->30 8 BBIOHV.eXE 8 2->8         started        process3 process4 10 mshta.exe 19 8->10         started        process5 12 cmd.exe 2 10->12         started        file6 22 C:\Users\user\AppData\Local\Temp\BBIOHV.eXE, PE32 12->22 dropped 15 BBIOHV.eXE 7 12->15         started        18 taskkill.exe 1 12->18         started        20 conhost.exe 12->20         started        process7 signatures8 32 Multi AV Scanner detection for dropped file 15->32 34 Machine Learning detection for dropped file 15->34
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d/
Threat name:
Win32.Trojan.Cryprar
Create hunting rule
Status:
Malicious
First seen:
2021-10-30 05:36:42 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
23 of 45 (51.11%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
118dd258630c48b0beacd8b4c04c9c9cd3b9f698b660b6a904b1dfc033e00cd1
27ae4533158f4a5e2ab70f57a674e6d84c989b13dd89fdb0fefadbeb22bffc95
68ad365201a3ead170378c56327e94be9eb337fda3487dac317981e843cf7eec
8d09712c6f3ed0173113b57d0835b1b7d32f2ee008143a6bdec9390aee412c57
a080aa812c19b8bbe2b32ac62f362909cebc68658ec751be2ee234ffd1200f47
a56fd1905d2af8a3a945ca699d94a4e1dff1759c719284af3ca975e47d150be5
a5e44dd81280a7fbef17c18e528c9df4b1289144fbc107d011af282a69cc3062
d33a9b8def5c0bc379362bf5924cd9697d2b219bcc412399814b160f9627c3c3
fcbdafcedb7e9d18b0c8b640e375975320e6f74fd4170fea17b2ca210215d855
+ 1'205 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211214-t7nzgshbar/
Behaviour
Kills process with taskkill
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d
MD5 hash:
831bbabfcd2487c10c13fbdd6ab35641
SHA1 hash:
ec05c8dd0ffb1aae26557a47a0ab552f966fcadf
Link:
https://www.unpac.me/results/630ed750-06bf-4fd3-9a7e-1535e045d7ae/
Malware family:
CryptOne
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e245603d93bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/214041/

Comments