MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
SHA3-384 hash: 80b0259cb45ab3572097babdfe490ae3c71cbd29baab1faec8e893b9cce502a47bc583a7e57bf43e62b8c595da38e069
SHA1 hash: 91a3471081352093d319e97abf787ecd7ecbd2d3
MD5 hash: d050948cba26749ca0ae38c401cae549
humanhash: connecticut-nine-missouri-alabama
File name:d050948cba26749ca0ae38c401cae549
Download: download sample
File size:4'379'392 bytes
First seen:2021-10-18 09:34:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c58ba983cbcad8b3c06c5b4f999bb55 (1 x Mansabo)
ssdeep 98304:Jf0gnUUlBQgyoOqHAvtgWgyuccfQ+qDh/d8:h0gUUlqHqMgyuTfQ2
Threatray 3 similar samples on MalwareBazaar
TLSH T15016226622263D46F1C5CE3A5D2BAFA9B1F9032F47F2BC74514DED9711210B2628FA13
File icon (PE):PE icon
dhash icon f0c0fefcfefcfefc (1 x MeduzaStealer)
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
Verdict:
Malicious activity
Analysis date:
2021-10-18 04:25:59 UTC
Tags:
trojan stealer loader
Link:
https://app.any.run/tasks/e41c4eaa-a026-492a-8bda-fbc74871b7f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198092/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616d3fc9db358dd15ebef19d/reports/34101ffd-08e1-4bc3-b9a8-a61e33077846/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7355653a-808b-4e21-a7d2-46d30bfd995f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/872113
Signature
Creates autostart registry keys with suspicious names
Detected VMProtect packer
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Potential dropper URLs found in powershell memory
Potentially malicious time measurement code found
Self deletion via cmd delete
Sigma detected: Koadic Execution
Sigma detected: Suspicious Encoded PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504541 Sample: t7uNkHwLzd.exe Startdate: 18/10/2021 Architecture: WINDOWS Score: 100 84 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Detected VMProtect packer 2->88 90 7 other signatures 2->90 9 t7uNkHwLzd.exe 78 2->9         started        14 D57637282340538976288.exe 2->14         started        16 D57637282340538976288.exe 2->16         started        process3 dnsIp4 72 128.199.63.64, 49696, 49697, 49700 DIGITALOCEAN-ASNUS United Kingdom 9->72 62 C:\Users\user\AppData\Local\Temp\1.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\Local\...\1[1].exe, PE32 9->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\zip.dll, PE32 9->66 dropped 68 30 other files (none is malicious) 9->68 dropped 110 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->110 112 Self deletion via cmd delete 9->112 114 Tries to harvest and steal ftp login credentials 9->114 116 3 other signatures 9->116 18 1.exe 3 9->18         started        23 cmd.exe 1 9->23         started        74 192.168.2.1 unknown unknown 14->74 76 niggerburner.coin 14->76 25 dllhost.exe 14->25         started        27 WerFault.exe 14->27         started        78 niggerburner.coin 16->78 file5 signatures6 process7 dnsIp8 70 niggerburner.coin 18->70 60 C:\Users\user\...\D57637282340538976288.exe, PE32 18->60 dropped 92 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->92 94 Drops PE files to the document folder of the user 18->94 96 Tries to detect virtualization through RDTSC time measurements 18->96 98 Potentially malicious time measurement code found 18->98 29 D57637282340538976288.exe 1 14 18->29         started        33 cmd.exe 1 18->33         started        100 Encrypted powershell cmdline option found 23->100 102 Uses ping.exe to check the status of other devices and networks 23->102 35 PING.EXE 1 23->35         started        37 conhost.exe 23->37         started        39 chcp.com 1 23->39         started        file9 signatures10 process11 dnsIp12 80 niggerburner.coin 167.99.197.71, 54734, 55444, 80 DIGITALOCEAN-ASNUS United States 29->80 118 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->118 120 Creates autostart registry keys with suspicious names 29->120 122 Tries to detect virtualization through RDTSC time measurements 29->122 124 Potentially malicious time measurement code found 29->124 41 cmd.exe 29->41         started        44 notepad.exe 29->44         started        46 WerFault.exe 29->46         started        48 WerFault.exe 29->48         started        126 Encrypted powershell cmdline option found 33->126 50 powershell.exe 22 33->50         started        52 conhost.exe 33->52         started        82 127.0.0.1 unknown unknown 35->82 signatures13 process14 signatures15 104 Encrypted powershell cmdline option found 41->104 54 conhost.exe 41->54         started        56 powershell.exe 41->56         started        106 Uses netsh to modify the Windows network and firewall settings 50->106 108 Modifies the windows firewall 50->108 58 netsh.exe 50->58         started        process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-10-17 19:02:43 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
8795bb17e6a0ce6dc06236d4042c625f2154bd1d8e5df494c23ffa3e58124395
8d3acf2f0ec215aa77026016f145230bf44a3a6c411349f1e49f86561380bb60
cbb64bb040b36f1c89cb1fbf72237d46cb31f87ad6e1ea721abff9bc060e3e12
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion persistence spyware stealer suricata vmprotect
Link:
https://tria.ge/reports/211018-lkfqlaecbl/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks installed software on the system
Checks BIOS information in registry
Deletes itself
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
VMProtect packed file
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
Unpacked files
SH256 hash:
bad600ae2ae3078fe54e67cfe4a32df1619f5a95fbe85afae5e6da6fd027b340
MD5 hash:
6d69355f5e213c36d224b2c450faae53
SHA1 hash:
ee457f496054ae9381aabfdfe480dae2800079f7
Link:
https://www.unpac.me/results/878fbf8d-5aa4-4358-b64f-73f9b80350ab/
SH256 hash:
15f4c24f680f69d9b6b5dc917f5137921ffe3d8ddc8a1e7b34f778d141daedc8
MD5 hash:
1402b707995d9f16e358fcd9d04d322d
SHA1 hash:
c09a46d7256fb279c0cf1dc0cfafe54cdb78731d
Link:
https://www.unpac.me/results/878fbf8d-5aa4-4358-b64f-73f9b80350ab/
SH256 hash:
ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
MD5 hash:
d050948cba26749ca0ae38c401cae549
SHA1 hash:
91a3471081352093d319e97abf787ecd7ecbd2d3
Link:
https://www.unpac.me/results/878fbf8d-5aa4-4358-b64f-73f9b80350ab/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/ebcfd0fc3ecb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1690544/
Cape
Cape
https://www.capesandbox.com/analysis/198092/

Comments