MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Squirrelwaffle

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44
SHA3-384 hash:	6356b43a3b58206421f161ce304e0517cdd554d1e156afa2b053bb48b13a4b54cf5f32a87ad9c8c03ade54674b7d65a5
SHA1 hash:	4087259179a6761e376dcfbf2e981e1c0cacc287
MD5 hash:	3d77d7a2e2697d35b281123afe4b030c
humanhash:	floor-iowa-friend-william
File name:	test1.test
Download:	download sample
Signature	Squirrelwaffle Create hunting rule
File size:	316'832 bytes
First seen:	2021-09-25 00:03:58 UTC
Last seen:	2021-09-25 01:10:59 UTC
File type:	dll
MIME type:	application/x-dosexec
imphash	cc1e6975fa29dad96fae67f7e9b5f02b (1 x Squirrelwaffle)
ssdeep	3072:TsN//P/zD85fNsfmMBkw28lmNQOfNcopS94e+gpiHLXQAAAvvzBSV278HjCFo3s5:MzDkmra8oNBTppeCVSV278DufMs9zD
Threatray	2'069 similar samples on MalwareBazaar
TLSH	T14064BE20B5C3E034C43E46B44975D992663C7C704F20DA9B3BA8AF7E5AB71C06936B97
Reporter	malware_traffic
Tags:	dll SQUIRRELWAFFLE

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/191296/

Detection(s):

SecuriteInfo.com.StaticAI-SuspiciousPE.7977.24452.UNOFFICIAL

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4ea355bd-ff6b-48f0-aa65-8b35e719e6d4

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44/

Verdict:

malicious

Label(s):

gozi

Squirrelwaffle

0cf7c00b406b33ae2af9068885a9d3c1ba3993f3878aa06e052c3b0249a42d81

Squirrelwaffle

3026fb99476bfb40357573b15fc63c0c63b1e9bd99f8266e91da21b80fe903cf

Squirrelwaffle

354f9844193171392a16a1a2262712d17638925f16aed9e9827f11e368e0fa05

Squirrelwaffle

4545b601c6d8a636dce6597da6443dce45d11b48fcf668336bcdf12ffdc3e97e

Squirrelwaffle

5582447866948a38cb3d1013759854142cbbdc812de3d821c5d4c151e4ebbe6f

Squirrelwaffle

64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb

Squirrelwaffle

85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939

Squirrelwaffle

+ 2'059 additional samples on MalwareBazaar

Result

Malware family:

squirrelwaffle

Score:

10/10

Tags:

family:squirrelwaffle downloader

Link:

https://tria.ge/reports/210925-acpsraabf6/

Behaviour

Suspicious use of WriteProcessMemory

Blocklisted process makes network request

squirrelwaffle

SquirrelWaffle is a simple downloader written in C++.

Malware Config

C2 Extraction:

hutraders.com/0eeUtmJf8O
goodartishard.com/0JXDM9kMwx
now.byteinsure.com/tnjUrmlhN
asceaub.com/Xl8UCLSU
colchonesmanzur.com/GjVgBnKaNIC
sistemasati.com/0SzGNkx6P
maldivehost.net/zLIisQRWZI9
lrdgon.org/l7r96tjAJ
binnawaz.com.pk/jhSZGWS76C
fhstorse.com/vJlgdjJnpIop

Unpacked files

SH256 hash:

b5db4e6800b976c5d78f4a5f842569fc24f430ac3c5d68a3834ee0d24716307d

MD5 hash:

e8f9e6fdd6d4994afd63ab7218e99fa2

SHA1 hash:

4604cea16717f453934e1f3be39661dd8f1a9204

Link:

https://www.unpac.me/results/f569a8c6-4baf-4b23-889f-d71fa99ad07e/

SH256 hash:

07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44

MD5 hash:

3d77d7a2e2697d35b281123afe4b030c

SHA1 hash:

4087259179a6761e376dcfbf2e981e1c0cacc287

Link:

https://www.unpac.me/results/f569a8c6-4baf-4b23-889f-d71fa99ad07e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/07c7cb49350bf3c6de4193fb2eeb8dd92d6662d60393ebd483a54bac80fb0b44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Windows_Loader_SquirrelWaffle Create hunting rule
Description:	Identifies strings/byte sequence used in unpacked SquirrelWaffle loader

Rule name:	win_squirrelwaffle_loader Create hunting rule
Author:	Rony(@r0ny_123)
Description:	Detects unpacked squirrelwaffle loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/191296/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample