MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7415e9c80b85ea9676b3be2dbc32314e35f9ca26800a97cd61d688f1af11f369. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SchoolBoy


Vendor detections: 1


Intelligence 1 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7415e9c80b85ea9676b3be2dbc32314e35f9ca26800a97cd61d688f1af11f369
SHA3-384 hash: 36b02b89d43d8f9200dc2c5b91de2dd0d3f407c9707d06afc0d0299484031f6820748e6d50055575dbd0b524f8fbf774
SHA1 hash: 683e1277cbb415f585ff34effb64844eb2b9f28d
MD5 hash: b547b55886d009891c4d2c214fe1647a
humanhash: potato-oregon-virginia-vegan
File name:TCOSS_100.exe
Download: download sample
Signature SchoolBoy
Create hunting rule
File size:1'047'552 bytes
First seen:2020-04-30 07:33:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c6edd83a41b2cfbe0504db4dbfc7058a (1 x SchoolBoy)
ssdeep 24576:bgA4NHK1zg46od8CCNV8aTysexPcpaE0IoK71d:DjjCNV9XepQj
Threatray 2 similar samples on MalwareBazaar
TLSH 14254C11F681A815F4D240F7D3B6863AAE64AB70230754D3B3C4AFAA7B245E17D3252F
Reporter jarumlus
Tags:SchoolBoy

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Verdict:
unknown
Similar samples:
102c31fbd568e5f1fba04da1b3a7c68681113022f9fd7655ed1edea72e1d506b
SchoolBoy
6524003d46a5f9266f0ce44f5fe7995c2d53abced4eee5fbb4e692218aca120d
SchoolBoy
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Quarian
Create hunting rule
Author:Seth Hardy
Description:Quarian
Rule name:QuarianCode
Create hunting rule
Author:Seth Hardy
Description:Quarian code features
Rule name:win_sinowal_w1
Create hunting rule
Author:Seth Hardy
Description:Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetDiskFreeSpaceA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_TIME_APICan Modify TimeKERNEL32.dll::SetLocalTime
KERNEL32.dll::SetSystemTime

Comments