MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25
SHA3-384 hash: b45999a240532e2940dfad6ff3861514c140e5be907a62b596190246c3025f37ac0c8bb382d37d6acbd59912cd2bbe2b
SHA1 hash: 0dd2218d5d1903b5a667f1ba7a2248a394cc597a
MD5 hash: a0b1030b402875ed5ae9338b73e6b5b2
humanhash: william-chicken-tennessee-berlin
File name:a0b1030b402875ed5ae9338b73e6b5b2
Download: download sample
File size:4'741'120 bytes
First seen:2022-08-13 07:05:22 UTC
Last seen:2022-08-13 07:33:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (247 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 98304:++53GGwHj4p6/S7RI6kqhLneeNF0LK8DO4RLGSGs7wKBHrKlDmRMfq:953G2p8SLzXmfLzHmsMf
Threatray 145 similar samples on MalwareBazaar
TLSH T1242633FC862AC673F8774FBD3765E948A5035A3122CD212ADB2DE7E346BB2C01244597
TrID 86.3% (.EXE) UPX compressed Win64 Executable (70117/5/12)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
2.4% (.EXE) Generic Win/DOS Executable (2002/3)
2.4% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
423
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a0b1030b402875ed5ae9338b73e6b5b2
Verdict:
Suspicious activity
Analysis date:
2022-08-13 07:06:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7ed3a576-3819-462e-911e-f891d39ad75f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298403/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61228287.2088.9436.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62f74d43e456f39ac94647b0/reports/47806606-354d-4797-b7ab-426d0d1769ba/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
ngrok-server
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/02c1fd3d-6fc2-4125-b22e-99b68b86271e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1050923
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25/
Threat name:
Win64.Trojan.Wofith
Create hunting rule
Status:
Malicious
First seen:
2022-08-09 08:35:21 UTC
File Type:
PE+ (Exe)
Extracted files:
11
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6aybavtkhl5ntuijnjjhebnzbdxt46x5i42yk6qpfvtqrmhxhmsq._file
Verdict:
malicious
Similar samples:
10c760b38e37d7df4fdb3caa56328e51943ac422018b1261fbd4820cdaa046d3
2f3cf6f156ce19666bd422299ae5a2055bc1f93dc1ed7330b7305668ef7b3cd5
6104f2b4049168fea236bb6a5b9a5194b878b61f87336eafb0fe5a5fab93144b
7b40863ec74aadb8aa7f38657302a39c1699f3e49dfc35ad63f32a0d37c19933
7d8de08a564f08ee20d746a2c445245b75247e772248073431fc30d16a4b9b14
7fa24025283e6b745f20c81e15a8cdb866905fb079579b71efd9e659398cb574
e00ddba4fd34c7b0f0f2e547ee9e3ff4c0cb4d906f1ca26b17ba2e3f459c59bd
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
+ 135 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
discovery upx
Link:
https://tria.ge/reports/220813-hw3gysheb7/
Behaviour
UPX packed file
Creates a large amount of network flows
Unpacked files
SH256 hash:
3e5f575ca0d39ac53d2834393c9870e9b7e50dc6e3cb936be1bfee406d9e874b
MD5 hash:
7a8c12ddc7cbcdc9f4924eeaf5dd8dba
SHA1 hash:
d0f1cb0816f8ce4a6862464b307919555782bba3
Detections:
win_grimplant_auto
Create hunting rule
Link:
https://www.unpac.me/results/e158fe1c-1d69-4ce6-aa91-8986e224b724/
SH256 hash:
f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25
MD5 hash:
a0b1030b402875ed5ae9338b73e6b5b2
SHA1 hash:
0dd2218d5d1903b5a667f1ba7a2248a394cc597a
Link:
https://www.unpac.me/results/e158fe1c-1d69-4ce6-aa91-8986e224b724/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables referencing non-Windows User-Agents
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:INDICATOR_TOOL_EXP_ApacheStrusts
Create hunting rule
Author:ditekSHen
Description:Detects Windows executables containing ApacheStruts exploit artifatcs
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe f03010566a3afad9d1096a527205b908ef3e7afd4735857a0f2d6708b0f73b25

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2272289/
Cape
Cape
https://www.capesandbox.com/analysis/298403/

Comments


Avatar
zbet commented on 2022-08-13 07:05:29 UTC

url : hxxp://212.87.212.218/scan.exe