MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0
SHA3-384 hash: 2e7384719e0e8c11d10108124eee2c876f2b1c238963039d7c4c8f04868094e78465d4b19910c06558985c1df2204380
SHA1 hash: 483e60acef57b234c57d062d94ef4e5f22b0a60a
MD5 hash: bbd2ac7769015665187999fe3b2589b9
humanhash: kentucky-fifteen-asparagus-seven
File name:SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201
Download: download sample
File size:4'166'476 bytes
First seen:2024-01-20 02:36:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 884310b1928934402ea6fec1dbd3cf5e (3'725 x GCleaner, 3'455 x Socks5Systemz, 262 x RaccoonStealer)
ssdeep 98304:MywTMaZ6WZew/yloA2vhLRzJZqpV7Jf6g2BaUougaAjnmX2l+FL:oMajYelL/IpV7Jf325ASXNFL
TLSH T18D16337672648935C472CEB5CC54902840262F29FD69DC09B9F9F5AC2FBAFA448CD3E1
TrID 51.3% (.EXE) Win32 Executable PowerBASIC/Win 9.x (148303/79/28)
37.1% (.EXE) Inno Setup installer (107240/4/30)
4.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon b298acbab2ca7a72 (2'327 x GCleaner, 1'631 x Socks5Systemz, 67 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
311
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471802/
Detection(s):
SecuriteInfo.com.W32.SDBot.PTF.tr.bdr.18349.18201.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint installer lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/65ab31cfb2c54853626b991d/reports/d23b7acc-9e03-403c-8a5f-cf3bb16e985d/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0148274d-32d8-4fb9-991b-563c42d46e3c
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
44 / 100
Link:
https://www.joesandbox.com/analysis/1377876
Signature
Antivirus detection for URL or domain
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Multi AV Scanner detection for dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade debugger and weak emulator (self modifying code)
Behaviour
Behavior Graph:
Download SVG
Score:
12%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5v24nsuqnw4kdytdopyfkyccg3ly2gwbwiwy7gqr65hvk6be2kya._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240120-c35yrsabdn/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Executes dropped EXE
Loads dropped DLL
Unpacked files
SH256 hash:
1ef76eab6a3b39e72c2a5574555a4b1dfddfff89da42ea9b91147e93573029c6
MD5 hash:
87d8e1f9133e4238b7dcc109604817d3
SHA1 hash:
3fa66acf34da63614b78ecb72e6817952aa64108
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
MD5 hash:
c594b792b9c556ea62a30de541d2fb03
SHA1 hash:
69e0207515e913243b94c2d3a116d232ff79af5f
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
fd5f3e886074050d53f81d23a196b77fd2c88a7125c49ca59045899c70f42184
MD5 hash:
a3f4f328ee72441a2b9f3e0be62660c9
SHA1 hash:
94b87bc58b93e1f81ab64975e9faa07d824fbe76
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
5ad0a3eced03c077504158e0daee210dbdc7161bce8a5b3a79cfee6f786d46d4
MD5 hash:
2aa83e8400f62330615a98a1778a3288
SHA1 hash:
e2f057f1d8e5d67c51497d4a6f55699aeb276672
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
6b908d5a1b870e0b02638f8c26dadad7d028b44d310eab22293d498bc22beea2
MD5 hash:
efc2474b80b8719a02afb1d227038468
SHA1 hash:
25515c653aa9bfd20fda3c5d3b4724cf1cfaa5c8
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
SH256 hash:
ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0
MD5 hash:
bbd2ac7769015665187999fe3b2589b9
SHA1 hash:
483e60acef57b234c57d062d94ef4e5f22b0a60a
Link:
https://www.unpac.me/results/66eb8c8f-ce98-42ef-9cce-2132c20b5db5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ed75c6ca906db8a1e26373f055604236d78d1ac1b22d8f9a11f74f557824d2b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/471802/

Comments