MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600
SHA3-384 hash: 00c55ee3d7ba957748275d9de0ad19006deb062c40b7a49f7b6fdd092ca5093b9ba7407db9d3717d5cf6f34374b34112
SHA1 hash: 6818dd11e03b8283b3a57d02edb6329e216b4d07
MD5 hash: 819ebb36bf053ef2d41eec6fc3433e0e
humanhash: papa-fix-charlie-mango
File name:819ebb36bf053ef2d41eec6fc3433e0e.exe
Download: download sample
File size:2'558'464 bytes
First seen:2023-06-15 21:03:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 49152:fdMeCL9PeqU9QWsNNHrxwYb32kR/pG1OD5TDe8EnGON:HO4qkQNNHrxwYbGkR/pKODhaDnGO
Threatray 1'657 similar samples on MalwareBazaar
TLSH T126C5F04162F98A04E1BB7B71AEB146918D76BCA3A934C62D354C751F2F71A80CD33B27
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
819ebb36bf053ef2d41eec6fc3433e0e.exe
Verdict:
Malicious activity
Analysis date:
2023-06-15 21:05:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d8a4e916-42a6-4d71-a1d0-89cd10fa4b1b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/399326/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Spy.1698.1026.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.MSIL.Spy.13143.18901.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
DNS request
Sending a custom TCP request
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
clipbanker lolbin packed packed
Link:
https://www.filescan.io/uploads/648b7cc4136f01348e5ab3f8/reports/71bae570-c75d-448b-9283-d71bd342d12d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3342b3e4-43df-4752-8cf2-51f17da0fb90
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1255640
Signature
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600/
Threat name:
Win32.Trojan.Casdet
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 21:04:06 UTC
File Type:
PE (Exe)
Extracted files:
305
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7n5pe5xpeod6lcdoxmb2f6ztprhjkmqhwesuig7ntbe66uyucyaa._file
Verdict:
unknown
Similar samples:
14bb337bfab1686103f252a2d7079863980237f1679164c3b519caadd3cca27a
314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8
3e9c629c225bf857fc3183cc5f17ae5816e04f20c7d9636d5d6adac849ed2279
41c2bbd61ad11d1fd1e1c8771edd92d1ab5df475c65764c2c5153f6afef84894
50575798954fd5dff1f376d1597a3d0ff52f51789c5ae98b48957590b540bcce
8fbf0b841a18807b33e676c7224f11b4e6aa7725aa410ae66a9dbcea614009a9
a155b362ccb1506dbbf3c0500b917af50e12763997b6fcacfce490cbd032c55b
a3acdf009a9db20af30be0c6fcdcdc27ad9db3ee9a84bc52d9e6f7d30ec42af2
a43aeebdf142d982d97157178d0b190e386b39d532c8782a7767f84f2a88e97b
fe498281daf27f0c6a5db9859192e2e8371f03f36a92d83e3f691677426dde18
+ 1'647 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/230615-zwkqksbb9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/fdfd2dc3-7f55-424b-bda4-bce9ce9dee4c/
SH256 hash:
fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600
MD5 hash:
819ebb36bf053ef2d41eec6fc3433e0e
SHA1 hash:
6818dd11e03b8283b3a57d02edb6329e216b4d07
Link:
https://www.unpac.me/results/fdfd2dc3-7f55-424b-bda4-bce9ce9dee4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe fb7af276ef2387e5886ebb03a2fb337c4e953207b125441bed9849ef53141600

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2662804/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/399326/

Comments