MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927
SHA3-384 hash:	8d39f95ab559d39a199ca53b80d942a63369203e5dee3ba0c6d34fe96f1f5689870e2228eebfb193ec9673a814d73b06
SHA1 hash:	eb951796021842496a82720135b8eb788531bb62
MD5 hash:	fec2f560619b88d9846fe03db6841e91
humanhash:	florida-finch-carolina-may
File name:	fec2f560619b88d9846fe03db6841e91
Download:	download sample
File size:	4'058'624 bytes
First seen:	2021-06-23 18:43:47 UTC
Last seen:	2021-06-23 19:41:22 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:qYplpAZmLpUUUcULGvEn5w+R8z9VYIbkCh:zzfU5CEn5Q0IbkCh
Threatray	55 similar samples on MalwareBazaar
TLSH	7616011279DACA36F97E45706569CB3A14F97FE00BB188DB53D48A2E0E700C1827AF57
Reporter	zbetcheckin
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Pseudosigner-36

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/806795

Signature

Connects to a pastebin service (likely for C&C)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2021-06-23 18:44:17 UTC

AV detection:

9 of 29 (31.03%)

Threat level:

5/5

Verdict:

unknown

21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129

30b21dbe9760cc2a285513b5eb161e482d234012697e7ddcdb7ca7a57832d181

32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6

7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548

80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42

84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04

a00f40db9ba7257068bb17d72e399d6a6651c2d459dbe026537131ff9baef6eb

a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda

f016bb4e883c001c82a4cf91745844f14b76fd015a2747c491badae79c2b0911

+ 45 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

persistence upx

Link:

https://tria.ge/reports/210623-z94mb12b4a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Adds Run key to start application

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Loads dropped DLL

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

msi 02cead8bc66fb8b15702508eb0681a0c2f26846962fd95cf621f84d481454927

(this sample)

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1392336/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample