MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f
SHA3-384 hash: 0e4c1853137a9dd2407cf47008be719a95985bba00b68c411d18d659b1abf6b26445b3290fdfbf601e43e40297aa70ea
SHA1 hash: 1ef0e1cabd344726b663cec8d9e68f147259da55
MD5 hash: 629b9de3e4b84b4a0aa605a3e9471b31
humanhash: river-jersey-yankee-cup
File name:01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f.bin
Download: download sample
Signature Lazarus
Create hunting rule
File size:161'280 bytes
First seen:2021-02-18 01:37:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e217501515a13bba8aefe7dcf3b74f33 (1 x Lazarus)
ssdeep 3072:Q/MdytyORF471FiHNkwBFTdpSI94e1ZVypzCG9n7r:Q/ftvF471AHNFjdYIZOt
TLSH E3F35B1BB3A420F5E177C279C9525A06E372783647219BDF07A4437A2F236D19E3EB21
Reporter Arkbird_SOLG
Tags:apt Lazarus

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117636/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.33626108.15337.23690.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/610999
Signature
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 354518 Sample: FQGOz4VZwL.exe Startdate: 18/02/2021 Architecture: WINDOWS Score: 60 25 unioncrypto.vip 2->25 31 Antivirus / Scanner detection for submitted sample 2->31 33 Multi AV Scanner detection for submitted file 2->33 7 FQGOz4VZwL.exe 2->7         started        11 cmd.exe 2 2->11         started        13 cmd.exe 2 2->13         started        15 4 other processes 2->15 signatures3 process4 dnsIp5 27 192.168.2.1 unknown unknown 7->27 29 unioncrypto.vip 7->29 35 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->35 17 conhost.exe 11->17         started        19 sc.exe 1 11->19         started        21 conhost.exe 13->21         started        23 sc.exe 1 13->23         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-04-08 16:13:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210218-nrvmml82ts/
Unpacked files
SH256 hash:
01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f
MD5 hash:
629b9de3e4b84b4a0aa605a3e9471b31
SHA1 hash:
1ef0e1cabd344726b663cec8d9e68f147259da55
Link:
https://www.unpac.me/results/1bf06890-7729-4217-b665-6b5380626d8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01c13f825ec6366ac2b6dd80e5589568fa5c8685cb4d924d1408e3d7c178902f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117636/

Comments