MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b
SHA3-384 hash:	2f9f0758675ebba52c74b180177e5e6c6b8212e32f2226d461b5f921c5a4653cce4e6fb43f25e130aaf6f0b788cb2704
SHA1 hash:	8a7e2399a61ec025c15d06ecdd9b7b37d6245ec2
MD5 hash:	7009af646c6c3e6abc0af744152ca968
humanhash:	fifteen-skylark-neptune-freddie
File name:	iec56w4ibovnb4wc.onion_Library__Turla__OutlookBackdoor2.bin.malw
Download:	download sample
File size:	290'816 bytes
First seen:	2020-03-18 23:10:42 UTC
Last seen:	Never
File type:	dll
MIME type:	application/x-dosexec
imphash	76768716dc7a613d452ff4d177e13797
ssdeep	3072:VTYdqqTVKO9cgn+66e6q2Lk0txU1P/S9oCJ+Pn4ByTvNsGLL8GdsyUl7eEHe55k2:ReqqT9+BbYt1GO+Enw3lHHS19CY
Threatray	3 similar samples on MalwareBazaar
TLSH	A554AF03B6D1C071C68F09385A25DBB8A6FDB465A9A1C043BBC8567D9F37642DA3834F
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Turla-6657767-0

PUA.Win.Downloader.Aiis-6803892-0

Gathering data

Threat name:

Win32.Trojan.Turla

Status:

Malicious

First seen:

2014-02-11 21:15:00 UTC

File Type:

PE (Dll)

Extracted files:

AV detection:

42 of 47 (89.36%)

Threat level:

5/5

Verdict:

malicious

881941ea24e92f4bd4d69d79e27ce1d2b10094172cb3cc93b223daf70ef2d867

a2322a27796d9f34f31d819e417d4eba3d1463ecb81b4b7aa1791812aed28a63

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e869c8e7f61d4f49d357d02179ed557e466b1d66ce6993faddbc23d5992ff59b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	ADVAPI32.dll::OpenProcessToken KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::WriteConsoleA KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW KERNEL32.dll::GetFileAttributesW KERNEL32.dll::FindFirstFileW
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExA ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegQueryValueExA
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample