MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
SHA3-384 hash: 0b801139a975b968063593bc59ff082d036616188b17b165ec85315d43059042598648438efe521a76161286b21e24d1
SHA1 hash: 501c7bbeae329cd4f845bacc9753dabe942700c7
MD5 hash: 419e0fb814d614d491fe487ef29ea77e
humanhash: bravo-vegan-helium-cardinal
File name:419e0fb814d614d491fe487ef29ea77e.dll
Download: download sample
File size:5'519'872 bytes
First seen:2021-10-25 07:22:21 UTC
Last seen:2021-10-25 08:35:43 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 5635b0933774ada04c0cb469937a7e29
ssdeep 49152:vJrYmVXt58SfHI5OcBFiZ5Gnvkd6SKKYCwNGFSHnsHSsd3SfFEBrVX9S2THTQIHk:vJVh4s5Gcd6zK3wNNQSsd3SsrVX
Threatray 3 similar samples on MalwareBazaar
TLSH T121466D12B388663AD07B0E3B5827E260583F7B713D22DC576BF4494C5F36A416A3A787
Reporter abuse_ch
Tags:dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199790/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Win.Packed.Zusy-9891964-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger
Link:
https://www.filescan.io/uploads/6176a3059a5a1e91c5d20d7a/reports/ec02364b-ba59-429d-9d2b-10570ec09b06/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
SpyBanker
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c01d60c6-07c2-4ead-8247-e1c5887d7d2d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/875178
Signature
Found detection on Joe Sandbox Cloud Basic with higher score
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507606 Sample: rqvufRfLLN.dll Startdate: 22/10/2021 Architecture: WINDOWS Score: 60 39 Multi AV Scanner detection for submitted file 2->39 41 Found detection on Joe Sandbox Cloud Basic with higher score 2->41 43 Machine Learning detection for sample 2->43 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        16 5 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 WerFault.exe 9 12->20         started        22 WerFault.exe 12->22         started        24 WerFault.exe 14->24         started        26 WerFault.exe 14->26         started        28 WerFault.exe 23 9 16->28         started        30 WerFault.exe 16->30         started        32 WerFault.exe 16->32         started        process6 34 WerFault.exe 2 9 18->34         started        dnsIp7 37 192.168.2.1 unknown unknown 34->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025/
Threat name:
Win32.Trojan.Mekotio
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 01:14:00 UTC
AV detection:
11 of 28 (39.29%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
4853a8acc62d6586eddfb30dcbb97ffa82c5f65460708fd3a969c88e29f99160
a64edb19e71549fb9248b27b58f911a4a1e8cd8b8e4adff93ecfb7e15a3cdad7
d7b59654644c399eaf13d7460b928ebf8f94bfd9e97e4a135ef005719e4eb18b
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211025-h7tdesgfgp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
e6bf7bc4b7f5235a307f5253ef3595d8aa50fefcfdb141d0e75c108676a584cd
MD5 hash:
08a93f96f2db097a8b730b338a6072df
SHA1 hash:
69cfef586bb5ed74a205cc66e252ae1b7ece2e9c
Link:
https://www.unpac.me/results/53f588bd-7e79-4eec-b9ce-f5370dac57cd/
SH256 hash:
2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
MD5 hash:
419e0fb814d614d491fe487ef29ea77e
SHA1 hash:
501c7bbeae329cd4f845bacc9753dabe942700c7
Link:
https://www.unpac.me/results/53f588bd-7e79-4eec-b9ce-f5370dac57cd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_DustSquad_PE_Nov19_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:APT_DustSquad_PE_Nov19_2
Create hunting rule
Author:Arkbird_SOLG
Description:Detection Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SR_APT_DustSquad_PE_Nov19
Create hunting rule
Author:Arkbird_SOLG
Description:Super Rule for APT DustSquad campaign Nov19
Reference:https://twitter.com/Rmy_Reserve/status/1197448735422238721

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199790/

Comments