MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97
SHA3-384 hash: 3900e01baf3ba26d92b2c665c1ead668d7f0c7d75d385acfb4617a662decd14a358564be94d11e5b5414d26f9311ebae
SHA1 hash: ef3e558ecb313a74eeafca3f99b7d4e038e11516
MD5 hash: b4f12a7be68d71f9645b789ccdc20561
humanhash: massachusetts-don-spring-tennessee
File name:WGXMAN.DLL
Download: download sample
File size:91'016 bytes
First seen:2022-03-29 09:35:41 UTC
Last seen:2022-03-29 10:41:21 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 3bb52be2e0e2298920dfffb9176df3e9
ssdeep 1536:RxOHyRtyd+624O2sSd/894mPOfzc4ILUHe936593VQtZe4d86NIJmoA:RxdR4d+v4Dz1IXV65V2tHdjem
TLSH T1D3938D52F7C1C0B2D8538A3D5176C7324B7ABA402B79C4E737981DCD9E227E1A63A316
Reporter Libranalysis
Tags:dll plugx loader talisman

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/259101/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Dllhijacker.4c.20710.24737.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe greyware overlay packed
Link:
https://www.filescan.io/uploads/6242d305a19c649412a50f85/reports/be27f8c9-fdbf-49ff-9609-416b6e11813f/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/050044bc-b07c-429e-9251-039c75be5081
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/966579
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 599067 Sample: WGXMAN.DLL Startdate: 29/03/2022 Architecture: WINDOWS Score: 52 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: Suspicious Call by Ordinal 2->28 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 6 other processes 7->15 process5 17 WerFault.exe 2 9 9->17         started        20 rundll32.exe 11->20         started        22 WerFault.exe 23 9 13->22         started        dnsIp6 24 192.168.2.1 unknown unknown 17->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97/
Threat name:
Win32.Trojan.DllHijack
Create hunting rule
Status:
Malicious
First seen:
2021-05-12 22:43:34 UTC
File Type:
PE (Dll)
AV detection:
11 of 42 (26.19%)
Threat level:
  5/5
Verdict:
unknown
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/220329-lkw3ksdab8/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Unpacked files
SH256 hash:
1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97
MD5 hash:
b4f12a7be68d71f9645b789ccdc20561
SHA1 hash:
ef3e558ecb313a74eeafca3f99b7d4e038e11516
Link:
https://www.unpac.me/results/c550ffc9-5887-42c3-9c85-a1401adb5137/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1c0cf69bce6fb6ec59be3044d35d3a130acddbbf9288d7bc58b7bb87c0a4fb97

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html
Cape
Cape
https://www.capesandbox.com/analysis/259101/

Comments