MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff486b597227e38d9538b37587c352bc12594cb58a417b8f18c934900a479122. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff486b597227e38d9538b37587c352bc12594cb58a417b8f18c934900a479122
SHA3-384 hash: 710f6e498afebcd7bd62a7b12eca7d2a80a1dec3607b8c9fb59d9f5d38d4f5aac080d14b66c2eb9155560fcfeafad544
SHA1 hash: a4e5d5d0b1fed1d933f9c4f9749242c6e7ee6c09
MD5 hash: bc3132e3eb62d1e7490c65d5216f96e6
humanhash: sad-september-mississippi-minnesota
File name:NvSmartMax.dll
Download: download sample
File size:18'593'792 bytes
First seen:2021-06-08 23:35:09 UTC
Last seen:2021-06-09 01:19:24 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash a224cf9cffa336d060a9c56128d68618
ssdeep 196608:gU1ZDWxJ8PJ+PtSVPDev34K6DFfpK6PJtMkvEpDXVqQX9D1dImRkrAY:gKuJGKdv3O3K6BNvc4YIvrAY
TLSH D117AE32B284753FC0EA0A3A9537B614993F77B13912CC5B57F40A8CCE765816B3A64B
Reporter johnk3r
Tags:banker dll latam

Intelligence

File Origin
# of uploads :
3
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

PUA.Win.Adware.Dealply-6619270-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/799223
Signature
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431619 Sample: NvSmartMax.dll Startdate: 09/06/2021 Architecture: WINDOWS Score: 48 41 Multi AV Scanner detection for submitted file 2->41 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 2 8->12         started        14 rundll32.exe 8->14         started        16 18 other processes 8->16 process5 18 rundll32.exe 10->18         started        20 iexplore.exe 12->20         started        22 WerFault.exe 12->22         started        24 WerFault.exe 9 14->24         started        27 WerFault.exe 9 16->27         started        29 WerFault.exe 9 16->29         started        31 iexplore.exe 16->31         started        33 WerFault.exe 16->33         started        dnsIp6 35 WerFault.exe 20 9 18->35         started        37 WerFault.exe 18->37         started        39 192.168.2.1 unknown unknown 24->39 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff486b597227e38d9538b37587c352bc12594cb58a417b8f18c934900a479122/
Verdict:
suspicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210608-n76sp28zra/
Behaviour
Modifies Control Panel
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
cadd7e54d7ec68b295ab7cf3f7f6110fd1d50cf79cbf332608952b1c99241c3d
MD5 hash:
10ec6e5eebf795f651ca62b4764169e3
SHA1 hash:
8dfeefdd9119970b259ed4dc06350d7bccda0494
Link:
https://www.unpac.me/results/9a162403-8b4d-4c9a-8cf8-ce542958ab76/
SH256 hash:
ff486b597227e38d9538b37587c352bc12594cb58a417b8f18c934900a479122
MD5 hash:
bc3132e3eb62d1e7490c65d5216f96e6
SHA1 hash:
a4e5d5d0b1fed1d933f9c4f9749242c6e7ee6c09
Link:
https://www.unpac.me/results/9a162403-8b4d-4c9a-8cf8-ce542958ab76/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff486b597227e38d9538b37587c352bc12594cb58a417b8f18c934900a479122

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
Amavaldo
  
Delivery method
Distributed via e-mail link

Comments