MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Lazarus


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash: 01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980
SHA3-384 hash: e33fdb1a09fa25acaeba77ed2c95dfd46db6b7f2e24d1051a7a35a86cc5dcfb80ee839e7329c292c75939ac599e82673
SHA1 hash: 461e4e6e8240cc43f4c19dc3dbb365575e06e259
MD5 hash: a6e7c231a699d4efe85080ce5fb36dfb
humanhash: earth-kentucky-artist-utah
File name:preinstall.db
Download: download sample
Signature Lazarus
File size:395'264 bytes
First seen:2023-11-29 19:25:35 UTC
Last seen:2023-11-29 21:27:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 14d60ef38feab6a732ffa1ea5b6e8b6c (1 x Lazarus)
ssdeep 6144:KCWThGl6FHGKg706IvaRaWH0cxUKK72FjCPekqOnxWMVKc8hH0W83T4mAYUndH:BR6FH+7RI8aWlxU7ClCBxWM0c8hHI2H
TLSH T16A8412175A344070D1629779D9F29CA1D7B2BC0083B24E8F93A4479E9F96BD21D383F6
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter smica83
Tags:apt exe Lazarus

Intelligence


File Origin
# of uploads :
2
# of downloads :
410
Origin country :
HU HU
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:
Gathering data
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
68 / 100
Signature
Antivirus detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Execute DLL with spoofed extension
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1350118 Sample: preinstall.db.exe Startdate: 29/11/2023 Architecture: WINDOWS Score: 68 24 Antivirus detection for dropped file 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: Execute DLL with spoofed extension 2->28 30 Machine Learning detection for sample 2->30 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 4 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 2 7->16         started        18 3 other processes 7->18 file5 22 C:\Users\user\AppData\...\IconCache.db, PE32+ 11->22 dropped 20 rundll32.exe 14->20         started        process6
Threat name:
Win64.Trojan.NukeSped
Status:
Malicious
First seen:
2023-11-23 17:15:25 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
16 of 23 (69.57%)
Threat level:
  5/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Unpacked files
SH256 hash:
01c5836655c6a4212676c78ec96c0ac6b778a411e61a2da1f545eba8f784e980
MD5 hash:
a6e7c231a699d4efe85080ce5fb36dfb
SHA1 hash:
461e4e6e8240cc43f4c19dc3dbb365575e06e259
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments