MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89d5d6a0436ed5e2e27c0f9cd1f7fa5b05fa342a082fc5d7ad2439ac75c7bf33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89d5d6a0436ed5e2e27c0f9cd1f7fa5b05fa342a082fc5d7ad2439ac75c7bf33
SHA3-384 hash: edd431ccb83026be8bd7bd872e354111337588a9db9effbc629df1f5293804b18f9c4c4b5280a44c8207039182544f85
SHA1 hash: fe191a27267191a216ff8f7e724632fdc455ff2a
MD5 hash: a22f2197c7846b8a608356fd7a00d9be
humanhash: december-mike-steak-carpet
File name:89d5d6a0436ed5e2e27c0f9cd1f7fa5b05fa342a082fc5d7ad2439ac75c7bf33
Download: download sample
File size:6'757'376 bytes
First seen:2020-06-10 07:31:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0a110d34ff2427775b8c12f547c295e0
ssdeep 98304:gxTgCeulq4Cd89zj2OVlHlOaWIOvarHCczXGq4sXwHfjU20EWjGbYE0nXATh0jXG:gxhlZFzioO5IOC2oXGi6Z0EWemMD3
Threatray 50 similar samples on MalwareBazaar
TLSH 0C6623B316441086F1E1C93EC637FE9470F657BECA81FCB998AB59C422155E2E327983
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.Ursu
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 02:53:58 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
31 of 48 (64.58%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1c016d7a68f97ebc995595745633584e3a167fdab7923977cf2ce96b93565c6f
1d20f089698311891fac0a5cc2f3ecbfc1ce8e38d5e75a8a55b822324e8b1d35
1e04c1e4eefe23f454553364e757209462f2561d8455628b296b1dbe83fc6ec2
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
5003a820820a43883c42918e8ca0ad6605417ed61b2645b35c068b396c44ecc9
586308277bf0f934777f113da1b684233d2cdfbf6b746eebc35d2f8dc8d1c585
790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
7ab6936ad40377ecea070401a55ef15033c9ee2e441a2aaa0dc963a081502761
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
c8989c184174f25a13a23242d9e7d2c99f74ca9e283d1d4b1ad642bdcb89ba63
+ 40 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/201109-dddg92nawx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
JavaScript code in executable
Drops desktop.ini file(s)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments