MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 102c31fbd568e5f1fba04da1b3a7c68681113022f9fd7655ed1edea72e1d506b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SchoolBoy


Vendor detections: 1


Intelligence 1 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 102c31fbd568e5f1fba04da1b3a7c68681113022f9fd7655ed1edea72e1d506b
SHA3-384 hash: 182588f709b65f08840d3c37f498865e1439ae8f2022c5822bd8839cd61dfc6e6cb88299443ee10533500f041e40f2db
SHA1 hash: 6ad4a8f083079640f17ba125bf296df8923253ae
MD5 hash: c39f87dbcab4fc9ba71891c9d871e049
humanhash: hotel-twenty-orange-mango
File name:TCOSS.exe
Download: download sample
Signature SchoolBoy
Create hunting rule
File size:1'144'320 bytes
First seen:2020-04-30 07:33:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 54876068837902d252dc9cbe03aa0746 (1 x SchoolBoy)
ssdeep 24576:WnAe/FZq7GwZfUZpuSgm8X46D2oaYTbFK1Cx6:8GGwZipuhm8XJDIq3Y
Threatray 2 similar samples on MalwareBazaar
TLSH FB356D11F681D41AF5D200F6C3BA8A3AAE649B70230650C3F3D86FAA77695E07D7251F
Reporter jarumlus
Tags:SchoolBoy

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Verdict:
unknown
Similar samples:
56af437f8b3b60b32b7cba77fa159138a777a48e98ce0215e8ec6f97ef12b223
SchoolBoy
7415e9c80b85ea9676b3be2dbc32314e35f9ca26800a97cd61d688f1af11f369
SchoolBoy
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Quarian
Create hunting rule
Author:Seth Hardy
Description:Quarian
Rule name:QuarianCode
Create hunting rule
Author:Seth Hardy
Description:Quarian code features
Rule name:win_sinowal_w1
Create hunting rule
Author:Seth Hardy
Description:Quarian code features

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
SS_APIUses SS APISecur32.dll::AcceptSecurityContext
Secur32.dll::AcquireCredentialsHandleW
Secur32.dll::CompleteAuthToken
Secur32.dll::DeleteSecurityContext
Secur32.dll::ImpersonateSecurityContext
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetDiskFreeSpaceA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::SetConsoleCtrlHandler
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileA
KERNEL32.dll::GetSystemDirectoryA
KERNEL32.dll::GetTempPathA
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptCreateHash
ADVAPI32.dll::CryptDecrypt
ADVAPI32.dll::CryptDeriveKey
ADVAPI32.dll::CryptEncrypt
ADVAPI32.dll::CryptGenRandom
WIN_TIME_APICan Modify TimeKERNEL32.dll::SetLocalTime
KERNEL32.dll::SetSystemTime

Comments