MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hive

Vendor detections: 7

Intelligence 7 IOCs YARA 7 File information Comments

SHA256 hash:	0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34
SHA3-384 hash:	812021ed399d610fba78c88b08043fc48f12f48283f44ebd9f0eab5942b88ab2647989f260eb11dd53aa33efbb7bb454
SHA1 hash:	f919b6b454dbd576d73f31485bf9455c2c0513bb
MD5 hash:	12150af60e86d7911018af299607a13b
humanhash:	utah-kitten-three-magazine
File name:	tool ddos.exe
Download:	download sample
Signature	Hive Create hunting rule
File size:	2'642'432 bytes
First seen:	2022-06-15 10:50:20 UTC
Last seen:	2022-06-15 12:05:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 37 x Vidar)
ssdeep	49152:DQkjg3OBrb/TZvO90dL3BmAFd4A64nsfJCDgQreJgfoXkD13Tpj6O1a1IiuJjB+C:K3IeUuqaoB+
Threatray	114 similar samples on MalwareBazaar
TLSH	T119C58B03BC8464B9C5EAD231897582927A31BC890F3167D73F54B7BA2B73BD44A39394
gimphash	b4611a9dc39012976912a5e9bea6ca93521a7fb30151e54e15ee23bf98336260
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	___
Tags:	exe Hive

Intelligence

File Origin

# of uploads :

# of downloads :

336

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/280121/

Detection(s):

SecuriteInfo.com.Heuristic.HEUR.AGEN.1211789.22783.23780.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21391/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

golang packed

Link:

https://www.filescan.io/uploads/62a9b9d524ded2bdf727c517/reports/d28c22d2-33bb-4277-8c05-0186531a5503/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8d5af476-042f-4e5a-bd09-9df902feb03a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1013582

Signature

Antivirus / Scanner detection for submitted sample

Connects to many ports of the same IP (likely port scanning)

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2022-06-15 10:51:14 UTC

File Type:

PE+ (Exe)

AV detection:

12 of 26 (46.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a6d24lcd2ounh5u2wpljnexxrhqlj6rhwj3oa4wkisuca5chpy2a._file

Verdict:

unknown

Hive

356ed801fd17886006472a332bba1126976a4a14dbf378d59a01904fcea64b18

Hive

5e6c5a9fda2d20125f6f24e37e8a217a39ff0a5cfddc07ddfdb18049d9ea4597

Hive

8abaa521a014cdbda2afe77042f21947b147197d274bf801de2df55b1e01c904

Hive

a945fd22e8f7272ce950721138fedb657dcfdd8447620a840c17688e3f9e0561

Hive

+ 104 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220615-mxt97adgcl/

Unpacked files

SH256 hash:

0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34

MD5 hash:

12150af60e86d7911018af299607a13b

SHA1 hash:

f919b6b454dbd576d73f31485bf9455c2c0513bb

Link:

https://www.unpac.me/results/ba06dccd-69cb-4428-96e2-d8015e5e52a4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.16

Link:

https://yomi.yoroi.company/submissions/0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/280121/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample