MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604
SHA3-384 hash: 6e8f2f125eba1a3d5591a2ce5c91874a0130b0494e7289770c615fc046b38839f462f2c326e2280b6a0a668f7920da8c
SHA1 hash: 8945fb30a3807bd72daf1bdb09c97f905ed7b88d
MD5 hash: fb932030fc9a28e50e7aaeae19fea934
humanhash: network-oven-comet-bakerloo
File name:fb932030fc9a28e50e7aaeae19fea934.exe
Download: download sample
File size:698'368 bytes
First seen:2023-06-22 17:59:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0330cb8599ebc8e2472474ca94c4c09a
ssdeep 12288:KBPQd9uBP7su+Kflk5L1V/mojGFb6yOtlJJ2Tzh1wBP1KI/A3KGBh6Kqk8:p9mou+m4hlmoKMyO1U8KI/A3KG/yf
Threatray 25 similar samples on MalwareBazaar
TLSH T143E4F00071808932E97312325FFC89BC677DB961176929FB13D40EBE8FE96E1E532A15
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fb932030fc9a28e50e7aaeae19fea934.exe
Verdict:
No threats detected
Analysis date:
2023-06-22 18:01:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d97e3e0e-a2c4-4dde-87d8-1db8f347888a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/401728/
Detection(s):
SecuriteInfo.com.Variant.Babar.215418.6717.3011.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/92149/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware lolbin packed
Link:
https://www.filescan.io/uploads/6494a7ad72b30d3d8e17c7d6/reports/8c512408-9e27-40da-9fd3-b5655e704383/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fb65c58f-da9c-4035-a244-e5182ab9f1b2
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1259926
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 892946 Sample: cWjBUyRg1I.exe Startdate: 22/06/2023 Architecture: WINDOWS Score: 52 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 6 cWjBUyRg1I.exe 1 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        11 conhost.exe 6->11         started        file5 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->13 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-06-22 18:00:09 UTC
File Type:
PE (Exe)
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=77ha7nsvj3mnfpykrvwf7zlqg4fm2ejx3uzmpywwnmfcmmvacyca._file
Verdict:
unknown
Similar samples:
121312c1dcf375ac0ba310f43084b4d185639d615b1183c900a483ad16e92094
29f8caa4248a60f8e6d058fec89fd8679c7a7b695e30c3bb2582450864fc9585
427875607eaf3406b8a2212e6a4671bf6ded47f771f2bd39228014d05954214f
42b6e8227496414ba6c5eeeb5c77d2f281145f0c8901c948802c83f6564258da
5f4bfa1c4fc1b5d0f8dadb74ca35b3ee413ba48406704cef03276ee97a574474
70fed089cabe70e9ae9cd11f13054811e5995348a7d01292ad62cb0eb45ccd31
bfa09378fbf5c19facce069caed42b282e1a137e9c0570b10196bafebcb7bda2
d75821f15f29a2031c22880cae112457067158c40f850a9d5eb065237bf05cce
e9f3ec46387776b505948a3e6dc2f327edb466fec966a43124f950d34d572b58
f07c60c0d59d24a06570825f8de8f5f7f306fb8477119025140e52a86741217c
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230622-wlbs5sgc63/
Behaviour
Program crash
Unpacked files
SH256 hash:
ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604
MD5 hash:
fb932030fc9a28e50e7aaeae19fea934
SHA1 hash:
8945fb30a3807bd72daf1bdb09c97f905ed7b88d
Link:
https://www.unpac.me/results/cc921bb9-20ab-4eab-b9ac-fc2524b2fed9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe ffce0fb6554ed8d2bf0a8d6c5fe570370acd1137dd32c7e2d66b0a2632a01604

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/401728/
  
URLhaus
https://urlhaus.abuse.ch/url/2665674/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2665318/

Comments