MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eca147888bcb1a2706cacd5743c914d5c62dcb76b03a6b29625eeba17f6e78aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eca147888bcb1a2706cacd5743c914d5c62dcb76b03a6b29625eeba17f6e78aa
SHA3-384 hash: 86e76cdb430dbca3df4ab6e4d521915583a7fe4cbfd49c58a5cdc4dee48de38262f120b48d91a45813ffec75772dc8ff
SHA1 hash: d06c1b2b0b90b0c8ee8a812631fa5001d6364208
MD5 hash: 18baa29d35a0247e21d0b4b2e3891811
humanhash: zulu-butter-north-quebec
File name:18baa29d35a0247e21d0b4b2e3891811.exe
Download: download sample
File size:1'041'920 bytes
First seen:2021-05-30 06:40:00 UTC
Last seen:2021-05-30 07:42:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 05170847fd36bdfb6ba500b52de3a324 (1 x PlagueBot)
ssdeep 24576:JNxsglIPAtgV+rnEQBg2AdqgwGd9OCPltP0gxkR3dCqJO5VxQ75S/1:B7uKrnEQi2Ad/wQPLP0gx1qt5S/1
Threatray 13 similar samples on MalwareBazaar
TLSH AB255C51B342C13BC86276B54E4DD2E206B5FA281D36E8DF35CB2F2D2E749511F2AA07
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
213
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
18baa29d35a0247e21d0b4b2e3891811.exe
Verdict:
Malicious activity
Analysis date:
2021-05-30 06:43:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3377b18e-fc3a-4e69-b8ef-34d214c8f203

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/163244/
Detection(s):
SecuriteInfo.com.Trojan.Malware.@G0@aaN0W7p.21777.3887.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Moving a file to the %temp% subdirectory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Sending a UDP request
DNS request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/794351
Signature
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 426747 Sample: WYeyfbEQ3t.exe Startdate: 30/05/2021 Architecture: WINDOWS Score: 80 91 Multi AV Scanner detection for submitted file 2->91 93 Machine Learning detection for sample 2->93 95 Sigma detected: System File Execution Location Anomaly 2->95 97 Sigma detected: Suspicious Svchost Process 2->97 11 WYeyfbEQ3t.exe 6 2->11         started        15 svchost.exe 2 2->15         started        process3 file4 85 C:\Users\user\AppData\Local\...\svchost.exe, PE32 11->85 dropped 87 C:\Users\user\AppData\Local\...\RCX808A.tmp, PE32 11->87 dropped 89 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 11->89 dropped 99 Uses schtasks.exe or at.exe to add and modify task schedules 11->99 101 Drops PE files with benign system names 11->101 17 svchost.exe 1 11->17         started        19 schtasks.exe 1 11->19         started        21 schtasks.exe 1 11->21         started        103 Multi AV Scanner detection for dropped file 15->103 105 Machine Learning detection for dropped file 15->105 23 svchost.exe 1 15->23         started        25 schtasks.exe 1 15->25         started        27 schtasks.exe 1 15->27         started        signatures5 process6 process7 29 svchost.exe 2 17->29         started        31 schtasks.exe 1 17->31         started        33 schtasks.exe 1 17->33         started        35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 svchost.exe 23->39         started        45 2 other processes 23->45 41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        process8 47 svchost.exe 2 29->47         started        49 schtasks.exe 1 29->49         started        51 schtasks.exe 1 29->51         started        53 conhost.exe 31->53         started        55 conhost.exe 33->55         started        57 schtasks.exe 39->57         started        59 schtasks.exe 39->59         started        61 conhost.exe 45->61         started        63 conhost.exe 45->63         started        process9 65 svchost.exe 47->65         started        67 schtasks.exe 1 47->67         started        69 schtasks.exe 47->69         started        71 conhost.exe 49->71         started        73 conhost.exe 51->73         started        75 conhost.exe 57->75         started        process10 77 schtasks.exe 65->77         started        79 conhost.exe 67->79         started        81 conhost.exe 69->81         started        process11 83 conhost.exe 77->83         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eca147888bcb1a2706cacd5743c914d5c62dcb76b03a6b29625eeba17f6e78aa/
Threat name:
Win32.Backdoor.Schnabrom
Create hunting rule
Status:
Malicious
First seen:
2021-05-23 04:39:22 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
06e145e0068c9631d558c1f1c04b51fe8c6a36052a6a051986642eb0dec85232
6153eb4861731cb8b710414247b40ca5851a31c6a79b44d488d02d59b4abc5ff
6df3cc776b52679aa742f3ce9a45617fa5bd66a4de5bd0594e2cb24d9e9534e7
75da456980b6c16a80a05269d6fee93bc18a242ebe0c7f9f014bad8828b09291
8c41074da2e38da01c61a00a6fb9a9983d5e6091547b4f7a5f74b3797a5a59fe
8d5fcc37dd8243986f9bb28dccd74960163c965f87f23fc4e0360f17188cc332
9ea59a3284eb0dfd4af9a58e5e5be9abf46cd42e911650f587c7d6d67d29691f
bb39c0c70183c13923ea4b4eedce081c40d7175e812de1e370ffcc3237fcbe75
bbdd92fe560df908080324d2c514af5c674f1aa2b8c4b65d5a37a5cd6ccbbba2
ee379be40d5c1621d1e0ccf136de363f950cbc92e5ee7f2b05c447cf8f6f2398
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210530-wgnl998tk2/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eca147888bcb1a2706cacd5743c914d5c62dcb76b03a6b29625eeba17f6e78aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/163244/

Comments