MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a
SHA3-384 hash: 0932c00ca5a8fba73392da327e91b374bf3b87068cada7b78009ce18aec72580cce69eb97a7168072078dafb263dfcb5
SHA1 hash: 4dd4e417dbb3ef1514c8a5809e570a1bab7807ae
MD5 hash: 2516c1691698f9e8c4897b761f38eb54
humanhash: sixteen-xray-mirror-oregon
File name:e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a
Download: download sample
File size:2'993'152 bytes
First seen:2021-05-12 15:51:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 167344a4df394fbba605fc972e41437a (4 x CobaltStrike, 1 x GoCryptoLocker, 1 x Sodinokibi)
ssdeep 49152:T1hVjWFq/BtwFJuYPndsUC97532dzY4AGvG2vGW1Do:THVqFq/BtmxPSd8zYK7
Threatray 93 similar samples on MalwareBazaar
TLSH 89D57D12FCE614B6CABDF130C5A25221763174A943323BD35F9499BA1A6AFD42F3E341
Reporter JAMESWT_WT
Tags:WindowsRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a
Verdict:
Suspicious activity
Analysis date:
2021-05-12 15:57:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fcb9e68a-a249-45c1-a9f1-49c003118a12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/155420/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/780064
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a/
Threat name:
Win64.Backdoor.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-09-09 16:07:53 UTC
File Type:
PE+ (Exe)
AV detection:
11 of 47 (23.40%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
006c9ba4ca0218e7bd2c7c21653497d3215bbeefbc1f5c2781549b306bab8e5e
32b8ffac3250444904e6af3fca1f6408e684f11ad59e6c46887cf44f5de19e6b
7786483b897971c243102c6203d0f19608524cba52136ae5fa71803e74d55825
82b1cdd8869c550689bd5d5f6c387b21e84cd137730ed810cc2a3977560649cf
9093233af919545a06bb718dd45e2b033be1caaf0844eec11c1f4cb8c0df3527
9d701a6eab150c0140c0153c4b6c1f3dbc0a44845722b79bfa75a98c200113fa
9f84130cc5240f4df5afc674fde40012dd9ff141a28dfd171fbd0db9747dbc39
c9097276ad19a25c9c4a62a8400f7bb12407bb5aedf25db29e2c9d2de843276d
e453400f413b4ad2e996c28b7e72be2d42fc2a8d30e9c91a67a0e0e6915aff7f
fffd5fb4107407ecc42df03dec6cc20d164b651879ac0a77455e07d9fc001a6d
+ 83 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210512-29rqhx1gln/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/e1a17d692d654a9f7847d40bcd4d78e3383fb76f5bc20fc566831fdb2336c95a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/155420/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-12 16:04:12 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0002.014] Communication Micro-objective::Read Header::HTTP Communication
1) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
2) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
3) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
4) [C0019] Data Micro-objective::Check String
5) [C0026.001] Data Micro-objective::Base64::Encode Data
6) [C0030.005] Data Micro-objective::FNV::Non-Cryptographic Hash
7) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
10) [C0052] File System Micro-objective::Writes File