MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd
SHA3-384 hash:	28e464ccae3e59856a742c213c09057f1e9e7af203c40aa1c0aee694acac95963f12f36a02cfcd79a1ec936e684c374b
SHA1 hash:	b0736c9c4dc2d1013f3794a604efa965b1cd0cb4
MD5 hash:	b19e3c2a84adc5cb0e8246430cd289fa
humanhash:	winner-football-cold-steak
File name:	b19e3c2a84adc5cb0e8246430cd289fa.exe
Download:	download sample
File size:	2'845'757 bytes
First seen:	2023-08-31 06:23:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fa8d20faea9ef7b4e2b7fbfe93442593 (17 x RedLineStealer, 4 x CoinMiner, 3 x AgentTesla)
ssdeep	49152:mDkUrjrxRvdRVQioFIG5Ethdc2tg9eLJshFttFRMHWJDyxgTF1:m4UT4FRuUss/t1iQ
Threatray	88 similar samples on MalwareBazaar
TLSH	T124D52322BAC48436DD7A1A711FE44B317B397C712B358BD7A7446E0AAF31291AE34353
TrID	91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39) 3.6% (.EXE) Win64 Executable (generic) (10523/12/4) 1.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 1.5% (.EXE) Win32 Executable (generic) (4505/5/1) 0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	abuse_ch
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

291

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

b19e3c2a84adc5cb0e8246430cd289fa.exe

Verdict:

Suspicious activity

Analysis date:

2023-08-31 06:24:20 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3770bc22-91e7-4058-9daa-cfbe06e90c27

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/445430/

Detection(s):

SecuriteInfo.com.Trojan.Uztuby.4.19274.32072.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Searching for the window

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the %temp% directory

Launching a process

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware lolbin overlay packed replace setupapi shdocvw shell32

Link:

https://www.filescan.io/uploads/64f03207e52937d43d9fde14/reports/75d9c79f-1d30-404c-83a7-999164fb6e68/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/742825d6-5fd8-452d-a4e8-8a7576b9ac67

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1300840

Signature

Antivirus detection for dropped file

Machine Learning detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd/

Threat name:

Win32.Trojan.Uztuby

Status:

Malicious

First seen:

2023-08-31 06:24:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 38 (39.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jdy3gygyoztwae6p2rw4xkdpa3ygokete5kjzy5pfbxnpys2x6q._file

Verdict:

malicious

1b57f88dd88cf59b0f9aa09f1f4dd393c6b787f70afa9b6b111861d1a10af6a7

2646dd01581c1813f0478a25051ca4edac5e5c4fedcbd1ac0b4ca758426ec52d

63c4a15cd773f238eff00aa96951811734883b01d9460389aee9cdbe3edc437b

71a7be17ce0aa73dc1b2a2e353bc5ac7bc8e401f74c2681b4348650caf13d82b

865ce93c33fd5a94da06f2267d3d0817b95c2af40a6fc64bb9de0191ae6dc93e

8ee0b8f40e58ae7ff46cb2779d8b0796071873d554d9d6ec4ae7207c9e26b865

9caad784222d3fb486822446983ef20eb408845146c9bf954bf2e185fb4e35d1

b4c2ff718a6f5c872387c54960848ea4798b78ac9ea50928106cf66a4bdffeb1

df4f2bd477daed3aa0c4665f2b989157fa971af504981ebd35c4af660d82ccb1

+ 78 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/230831-g5224sdb7t/

Behaviour

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Checks computer location settings

Loads dropped DLL

Unpacked files

SH256 hash:

ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

MD5 hash:

b19e3c2a84adc5cb0e8246430cd289fa

SHA1 hash:

b0736c9c4dc2d1013f3794a604efa965b1cd0cb4

Link:

https://www.unpac.me/results/1459e8b5-ab69-4771-bfe9-726e565461a7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

exe ea478d9b06c3b33b009e7ea36e5d437837833944993aa4e71d794376bf12d5fd

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2708245/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/445430/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample