MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 086c37d38778e01644fd879d4c19b7387f6526d3d5ca408af8166207b3729f0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 086c37d38778e01644fd879d4c19b7387f6526d3d5ca408af8166207b3729f0e
SHA3-384 hash: f8105080923b72127146944ec8c5d26ca8256958b5b148d8629203fb7d6b78991c34e659bdc863948b3aae565010b349
SHA1 hash: 6687605a0b342a8255c954449dc2af347984b866
MD5 hash: e4a077a9a7924d2a127fb176d2d7cbe0
humanhash: michigan-lima-edward-tennessee
File name:slw.dll
Download: download sample
File size:532'992 bytes
First seen:2021-12-03 15:56:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d63c2d81db353db6f419674bd884b8c
ssdeep 12288:0KRhM4fRX0it9hTCSuIyYZoxGoxSQvvg5fCg2:9M0POSuITZiGUS
Threatray 42 similar samples on MalwareBazaar
TLSH T132B49E1AFB7844B5E166D13889779686E2727C590B6086DF2368531E2F33FE04E3BB11
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
198
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
slw.dll
Verdict:
No threats detected
Analysis date:
2021-12-03 16:55:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9b43d334-62db-4eae-9a44-3a8cfa9296b6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/211080/
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61aa3e5dfa72c81b5b0997be/reports/fad047d2-ca29-4384-8e6e-45f5b0ec1d1b/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3806cac3-0ca6-4630-bafd-43769642271a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/901048
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 533527 Sample: slw.dll Startdate: 03/12/2021 Architecture: WINDOWS Score: 68 98 Sigma detected: UNC2452 Process Creation Patterns 2->98 11 rundll32.exe 2->11         started        14 loaddll64.exe 1 2->14         started        16 rundll32.exe 2->16         started        process3 signatures4 108 Writes to foreign memory regions 11->108 110 Modifies the context of a thread in another process (thread injection) 11->110 112 Injects a PE file into a foreign processes 11->112 18 chrome.exe 14 11->18         started        22 cmd.exe 1 11->22         started        24 cmd.exe 1 11->24         started        26 cmd.exe 1 14->26         started        28 rundll32.exe 14->28         started        30 rundll32.exe 14->30         started        32 rundll32.exe 14->32         started        process5 dnsIp6 96 162.33.179.23, 443, 49824 CORENETUS United States 18->96 102 Modifies the context of a thread in another process (thread injection) 18->102 34 cmd.exe 1 18->34         started        37 cmd.exe 18->37         started        39 cmd.exe 18->39         started        49 5 other processes 18->49 41 reg.exe 1 22->41         started        43 conhost.exe 22->43         started        52 2 other processes 24->52 104 Uses cmd line tools excessively to alter registry or file data 26->104 45 rundll32.exe 26->45         started        47 cmd.exe 1 28->47         started        signatures7 process8 dnsIp9 100 Uses cmd line tools excessively to alter registry or file data 34->100 54 conhost.exe 34->54         started        56 reg.exe 34->56         started        66 2 other processes 37->66 68 2 other processes 39->68 58 cmd.exe 1 45->58         started        60 rundll32.exe 47->60         started        62 conhost.exe 47->62         started        64 choice.exe 1 47->64         started        94 162.33.177.179, 443, 49830, 49831 CORENETUS United States 49->94 70 8 other processes 49->70 signatures10 process11 process12 72 rundll32.exe 58->72         started        74 conhost.exe 58->74         started        76 timeout.exe 1 58->76         started        process13 78 cmd.exe 1 72->78         started        81 cmd.exe 1 72->81         started        signatures14 114 Uses cmd line tools excessively to alter registry or file data 78->114 83 reg.exe 1 1 78->83         started        86 conhost.exe 78->86         started        88 rundll32.exe 81->88         started        90 conhost.exe 81->90         started        92 timeout.exe 1 81->92         started        process15 signatures16 106 Creates an autostart registry key pointing to binary in C:\Windows 83->106
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/086c37d38778e01644fd879d4c19b7387f6526d3d5ca408af8166207b3729f0e/
Threat name:
Win64.Trojan.Bazaloader
Create hunting rule
Status:
Malicious
First seen:
2021-12-03 15:57:17 UTC
File Type:
PE+ (Dll)
Extracted files:
4
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
58bef95d2f1dc3d23b16d982a452e982d4812eee455bc90b2c8694e5e58eec28
5a057b438a0e8668571bc5a452f6403c246ba2def57b158db04a57b156f6b640
69c6638c277af7f94f34c6f1ea1cee9d7cf5ee7a1e8ef0d2df527f8d6a529f5f
6a852c0f5d6e5f124298d47ec6800100bfd886b6196a722bced61f267b497a7d
7883df070b501cf6d4f167ac030820d2fa5d90bd6f48b7feacbe17e612e0475b
83eebca023e0700c5d40cc90fd9fedba3523b8f4e4012a6427e2d8c644a6eb84
976ef5ced7cc6b4d30a7eed5d427dcbc70b4c14403dd53fc1caa7c5b9ac9200f
b163e34d8490c0b567d788e997d9693c9da120a21dff06de9d400c6e66386437
bec7fb70521beab8f861f0d0c5c2996c48bd26626546b12d8c08265dcbc546d7
f0718e4578b67fc0c73b03762a91abd62a071758074ac8f108a00c4cf612474f
+ 32 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211203-tdya3abhh3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Unpacked files
SH256 hash:
086c37d38778e01644fd879d4c19b7387f6526d3d5ca408af8166207b3729f0e
MD5 hash:
e4a077a9a7924d2a127fb176d2d7cbe0
SHA1 hash:
6687605a0b342a8255c954449dc2af347984b866
Link:
https://www.unpac.me/results/bec2465d-8c2b-4edb-bb13-d56a7fc10c1b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/086c37d38778e01644fd879d4c19b7387f6526d3d5ca408af8166207b3729f0e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/211080/

Comments