MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297
SHA3-384 hash:	3b2099357944e0b5176f897dc9f4de7605a7b6cb02f64bd1aac340b093b47e18d8f96e3d45df452abef3acce30bac249
SHA1 hash:	b5a9201231d1f406ba281b6f3b7a4cd9852ac09c
MD5 hash:	e1c14bbff9bfe344aeaf639df5b30b0e
humanhash:	island-muppet-enemy-speaker
File name:	104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297
Download:	download sample
File size:	5'181'168 bytes
First seen:	2021-03-03 09:39:25 UTC
Last seen:	2021-03-03 11:49:47 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	bd64dd854ff1e36459ea17016dae632a (1 x ModiLoader)
ssdeep	49152:FFSq1dQ4KO50v3mSIF7dzyhIR8eHgFFH+4muPTtjEhUSZQcuC1Ha:KohBsQ8NFg4nJE9Qcu8a
TLSH	D7366BE372C55D3EC06A16350A3BAE21853EFB71261A892B13B41C0CCF716957839E6F
Reporter	JAMESWT_WT
Tags:	Rubin LLC

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297

Verdict:

No threats detected

Analysis date:

2021-03-03 09:52:52 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9ae3a4d3-4f04-4a82-9365-b62daabfc9dc

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/121308/

Detection(s):

PUA.Win.Packer.BorlandCpp-9

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/625864

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Uses ipconfig to lookup or modify the Windows network settings

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297/

Threat name:

Win32.Trojan.Bulz

Status:

Malicious

First seen:

2020-12-06 00:48:04 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210303-le5scgysdj/

Behaviour

Suspicious behavior: GetForegroundWindowSpam

Unpacked files

SH256 hash:

104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297

MD5 hash:

e1c14bbff9bfe344aeaf639df5b30b0e

SHA1 hash:

b5a9201231d1f406ba281b6f3b7a4cd9852ac09c

Detections:

win_houdini_auto

Link:

https://www.unpac.me/results/9629684c-568c-4cc0-b497-cf7edaa37263/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/104d09a582d1488dc19362b59d868f845c4a246224b726dad5102fa34a276297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	crime_win32_parallax_payload_1 Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax Injected Payload v1.01
Reference:	https://twitter.com/VK_Intel/status/1227976106227224578

Rule name:	crime_win32_rat_parralax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	MAL_crime_win32_rat_parallax_shell_bin Create hunting rule
Author:	@VK_Intel
Description:	Detects Parallax injected code
Reference:	https://twitter.com/VK_Intel/status/1257714191902937088

Rule name:	win_houdini_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/121308/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample