MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
SHA3-384 hash: ca33165987eacf4f0b55ee061aec09ee56a1d0dbf2a5926cbb4a47d419f78503f03e0944f7462daa5197586bd77c9f68
SHA1 hash: a6b879508f66ac15a1f410fef02408c3d645339b
MD5 hash: 014e64b117af39a265210fee60da807c
humanhash: twelve-queen-delaware-solar
File name:02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
Download: download sample
File size:592'635 bytes
First seen:2021-02-28 07:07:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e9c0657252137ac61c1eeeba4c021000 (53 x GuLoader, 26 x RedLineStealer, 17 x AgentTesla)
ssdeep 12288:mlAeMEYL6TbGodi3wkQSHKeBYPNjOAylovWwa8ALlTwVMA6o:mlA3P6TexKe+PNjOxeOCAlKR6o
Threatray 69 similar samples on MalwareBazaar
TLSH 0AC412712D719F6DF053223A4B5EDD62E2B00A5C0A3442667F22BF4A9FF4C244D5A7A3
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119785/
Detection(s):
PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Deleting a recently created file
Launching a service
Loading a system driver
Creating a window
Creating a file in the Program Files subdirectories
Launching a process
Launching the process to change the firewall settings
Enabling autorun for a service
Forced shutdown of a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/621174
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies security policies related information
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359578 Sample: tUrRWnmVLH Startdate: 28/02/2021 Architecture: WINDOWS Score: 76 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Machine Learning detection for sample 2->35 37 2 other signatures 2->37 7 tUrRWnmVLH.exe 18 2->7         started        11 tsusbhub.sys 3 2->11         started        13 rdpdr.sys 8 2->13         started        15 rdpvideominiport.sys 4 2->15         started        process3 file4 27 C:\Users\user\AppData\...\SETUP_79104.exe, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\System.dll, PE32 7->29 dropped 43 Modifies security policies related information 7->43 17 SETUP_79104.exe 2 4 7->17         started        signatures5 process6 file7 25 C:\Program Files\Cannabinoid\eclipse.dll, PE32+ 17->25 dropped 39 Multi AV Scanner detection for dropped file 17->39 41 Machine Learning detection for dropped file 17->41 21 netsh.exe 3 17->21         started        23 conhost.exe 17->23         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a/
Threat name:
Win32.PUA.RDPWrap
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 17:00:01 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
1940c74c0c28f1bc9e66ffc90e00094601b5c2f7a68f1a034626ccf4969d54c8
3eb24bbe1ee3e304a99486d0857ff1c1160554513c893fd8e4534a869fcf73ce
3fe5fdbdc141727dc6b70a7c8e2c7700a0eef1ee6236d7a5cb62b15c75ab9f26
45b253db751c69bdc1d532167e482ef03f426d4dd06a513d342faf61e976f269
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
63ee9c6d54f6aac73500b372ca04e936fd629f6bec8f0b7a8f0f83d7e7fa37b9
7d3a5cd80e21098c2ea4a35396fb9ccec326054f45937eae3207a3f5f2d09464
99ba4d5d99ff78d07193851a25935dbf32a98a86ab053c2a5d6c9a4ca8ca5075
9e746625abad522321067f546c40e8b26176ef5585bf3a45cb58ff758738f68c
e1612e3d774b3ebd2559eb3ec8b59890d64712386563bee84da82e7b7dfbebe7
+ 59 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210228-439vrv2r5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Modifies WinLogon
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Unpacked files
SH256 hash:
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
MD5 hash:
0063d48afe5a0cdc02833145667b6641
SHA1 hash:
e7eb614805d183ecb1127c62decb1a6be1b4f7a8
Detections:
win_buer_auto
Create hunting rule
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
Parent samples :
5312214b15330113f6eab71565e1e3c7d1ee3b59daa6703c271aaf3b192e6809
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
045a7318a9e2e550208c0c7e9fc805068df19fa73823ac3acaa049a46c4045ee
f2a883a0e4b01c72b0f063df3be5a0102e5c8fbaedc39c8d35c632b200599283
dffefbde27442b9095388b1871ffdc101c430b9a814138be4f962328a5b73fde
e0fb60da371912c158861c9660632d58e45cfcff12351cc9e03f497f319eb5de
904f69a4bed3844273cce1676e8920794815af4c1527e560bbc1bc44b5b8457a
SH256 hash:
2f33ed67124a2225104726cb59f001e5ff4d78b0d88a650ced997890b515a73b
MD5 hash:
51b15fc8de1a07851f648ffe4362e5ca
SHA1 hash:
b8215e0a97424eff245eaf196ed4fccd154723b6
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
SH256 hash:
60b727d6aa1469d7b9efec8669368e6018d4363150466029d9a77afe545671d9
MD5 hash:
7cfdbba38658c1410f20010796d94bf2
SHA1 hash:
777f1195a6e8140f92248ebfff02dd55730de09c
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
SH256 hash:
a5284e6e1428e4b7e4fbfa216e9d6efaf75c01321289ba7a858c646f5d583528
MD5 hash:
73c8e4f7f4600503123fbf7a604539ff
SHA1 hash:
362177c6fabcc0e5ebce446c8fa8927871178170
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
SH256 hash:
4c19d053751a68b30c045119642964268659bf79bd066046c32ddb875ec339eb
MD5 hash:
b52ac2b928342ee016739834af802beb
SHA1 hash:
1d4d62475d6ab667fdbc68a46177b7ae01c2ddeb
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
SH256 hash:
02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a
MD5 hash:
014e64b117af39a265210fee60da807c
SHA1 hash:
a6b879508f66ac15a1f410fef02408c3d645339b
Link:
https://www.unpac.me/results/306c514b-1e21-4a23-bdba-1440a4b809a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DanaBot
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/02fca6ef5d9d8b1eb29f7ac8ea0573b504ea7f06c215e091791653b40fe1329a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119785/

Comments