MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Grandoreiro


Vendor detections: 6


Intelligence 6 IOCs YARA 29 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce
SHA3-384 hash: 12547532e7847f99a0c87d2050f7ef70b9cd61e6310a2d9ce2aaca31787137000b3e27d34d17f1217e58d7a1c6ded8d1
SHA1 hash: e4bade70beab8bce6214cd151bba7e73022e76a9
MD5 hash: 22751b6dd47c521bc3f7a32fd7caf288
humanhash: wyoming-arkansas-kilo-snake
File name:wewewe.zip
Download: download sample
Signature Grandoreiro
Create hunting rule
File size:40'131'261 bytes
First seen:2024-10-31 11:19:04 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 786432:IHjmpF+tawqvhulHzr8voouYYqhaJINWqnYWboxA0PpsgDiMiRR4OYsw34adWSJP:IHjmp8AvhgHXg0vqSI1tboxAUAMiRATR
TLSH T1CA9733D6AA5705F7D02A8EA1D71DBD1E905025F6F098213BDEFCCA6C20F9F02845BA1D
Magika zip
Reporter NDA0E
Tags:dllHijack geo Grandoreiro MEX PRT zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
NL NL
File Archive Information

This file archive contains 3 file(s), sorted by their relevance:

File name:unrar.dll
File size:178'176 bytes
SHA256 hash: 2631fcdf920610557736549e27939b9c760743a2cddec0b2c2254cfa40003fb0
MD5 hash: 4289541be75e95bcfff04857f7144d87
MIME type:application/x-dosexec
Signature Grandoreiro
File name:7zxa.dll
File size:80'042'496 bytes
SHA256 hash: 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80
MD5 hash: 1c334775e07ed82f659da08e829bf04f
MIME type:application/x-dosexec
Signature Grandoreiro
File name:BLOCKBUSTER.exe
File size:9'571'304 bytes
SHA256 hash: 1d822b3faabb8f65fc30076d32a95757a2c369ccb64ae54572e9f562280ae845
MD5 hash: 74d3f521a38b23cd25ed61e4f8d99f16
MIME type:application/x-dosexec
Signature Grandoreiro
Vendor Threat Intelligence
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6723141849e92a05dde1fed6
Tags:
dropper exploit smtp
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
grandoreiro
Link:
https://www.filescan.io/uploads/672367e9e9959538ff3be14a/reports/f4798194-dcf1-447b-af03-e0d5ebc6fbf0/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Score:
15%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce
Gathering data
Threat name:
Win32.Trojan.Grandoreiro
Create hunting rule
Status:
Malicious
First seen:
2024-10-31 11:20:17 UTC
File Type:
Binary (Archive)
Extracted files:
1093
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pg77lqbjiroikkoh2boaieuq2rf55jjsfbpi5upupztl4dcpxha._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery evasion persistence privilege_escalation
Link:
https://tria.ge/reports/241031-qvnlea1jbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Bolonyokte
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:UnknownDotNet RAT - Bolonyokte
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:crime_win32_ransom_avaddon_1
Create hunting rule
Author:@VK_Intel
Description:Detects Avaddon ransomware
Reference:https://twitter.com/VK_Intel/status/1300944441390370819
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:html_auto_download_b64
Create hunting rule
Author:Tdawg
Description:html auto download
Rule name:INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
Author:ditekSHen
Description:Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Rule name:Macos_Infostealer_Wallets_8e469ea0
Create hunting rule
Author:Elastic Security
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:possible_trojan_banker
Create hunting rule
Author:@johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:with_urls
Create hunting rule
Author:Antonio Sanchez <asanchez@hispasec.com>
Description:Rule to detect the presence of an or several urls
Reference:http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Grandoreiro

Visual Basic Script (vbs) vbs f8520d764363ff22784c2bd6f77829ffe7396637936d68855bf56ae1f0c6dd5e

Grandoreiro

Visual Basic Script (vbs) vbs 6b16c2a1897f02f6f05f97ffcadd357071dc660708312b5c71341f9bb4bc285a

Grandoreiro

zip ebcdffae014a22e4294e3e82e0209486a25ef5299142f4768fa3f335f0627dce

(this sample)

Grandoreiro

DLL dll 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80

  
Dropped by
SHA256 6b16c2a1897f02f6f05f97ffcadd357071dc660708312b5c71341f9bb4bc285a
  
Dropping
SHA256 887187043407a422d060ce7db8cceb26bd3457aec76a88e8e318cdc465bdbe80
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3267993/
  
URLhaus
https://urlhaus.abuse.ch/url/3267992/
  
Dropping
MD5 1c334775e07ed82f659da08e829bf04f
  
Dropped by
MD5 8d36763727659594c5481673a560d80c

Comments