MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e4ef567c497136b0b0b75929ef07643296ca2814b6b0f19303ee29cb194cb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 3

Intelligence 3 IOCs YARA 3 File information Comments

SHA256 hash:	d2e4ef567c497136b0b0b75929ef07643296ca2814b6b0f19303ee29cb194cb1
SHA3-384 hash:	7c52129cb24d1d45819fa7c000cfd203f34e099901c768409320e3e995a6d48c103281425106e28f554e21b7072eeb25
SHA1 hash:	cc0b9b7d616f4b8338a74a5f44e2f65061f03009
MD5 hash:	40e76deb2066f8674c4b8276ab787ff2
humanhash:	yellow-football-orange-leopard
File name:	PrntScrnOfAMZOrderID.jpg.exe
Download:	download sample
File size:	427'886 bytes
First seen:	2020-03-31 21:43:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f0b4db0c074495b7d4a25ef8f03ae4cf
ssdeep	12288:TzQXRXiF6AERD283g37Zkjjsjj3R+uD07fpMv/G:IZJoqgrZWyB+cG
Threatray	56 similar samples on MalwareBazaar
TLSH	C79412032D956876C0600EFC9D5AE2F4BA7E7D322D78591AEE896F0ECC398C4586D707
Reporter	James_inthe_box
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Delf

Status:

Malicious

First seen:

2017-04-22 06:41:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Verdict:

malicious

1561967cff081a9b139de45a82e6a61e2f5b01834d4666f2fc88cf0c52220268

1cdadad999b9e70c87560fcd9821c2b0fa4c0a92b8f79bded44935dd4fdc76a5

1fb2d300e3042a8b0a43447daff7ac9104468b7b53c7d1f9faaa730a53a546b6

244bd22b299305418f66c5a6239c70bdc5eced7c0464210feaac591301241cd5

3c774090ba37e891c0268796302378c8340f29c3d5dd1be52395abfd2c126bea

8179cb45ba2d6df0d25f9e1f382c5b9e8b9b703e4404fa19a9002c78418dedea

991c4166a2246ca5ae9186a1e747f5eb767fdbd304dbfa1c5f4a2019cb6b4aec

9ce2908edf0994f493926514628054634858340fb73f219c38c013f34dd9a429

c194e82e8a3ada40421b28e668c9135f09f9336732dc31053fc0cebf7be97564

+ 46 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_darktrack_rat_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

Rule name:	with_sqlite Create hunting rule
Author:	Julian J. Gonzalez <info@seguridadparatodos.es>
Description:	Rule to detect the presence of SQLite data in raw image
Reference:	http://www.st2labs.com

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/333097/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::VirtualAllocEx kernel32.dll::WriteProcessMemory kernel32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetStartupInfoA kernel32.dll::GetDiskFreeSpaceA kernel32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileA kernel32.dll::CreateFileA kernel32.dll::FindFirstFileA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA
WIN_USER_API	Performs GUI Actions	user32.dll::FindWindowA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample