MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
SHA3-384 hash: 034b19af36b6224276ac0fc7f8817001dbe529f020dc45bcd2ba8962d2af12a49dd07323052e6ecaf31e3bea1633d0c8
SHA1 hash: 1183033b53ace85fe7432d9192dae5c64a889b2a
MD5 hash: 3f268b389f38ec192b277b9a25c98d5d
humanhash: sodium-october-colorado-may
File name:3f268b389f38ec192b277b9a25c98d5d.exe
Download: download sample
File size:352'768 bytes
First seen:2020-11-19 06:11:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 65cdd970d73381f4b594a626a242a94a (1 x DanaBot)
ssdeep 6144:5UIXyrflSl4vRGO9mL55rL0+d3Y8jxU/U0Fuf5q:5dXyrflm4vRGMmL55rL083YD/Z
Threatray 5 similar samples on MalwareBazaar
TLSH D374F212B780D033D58615358D16C7741A7AB8711EAAAACBBBD41BBD5F303E38B36316
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/542252
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found C&C like URL pattern
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 320224 Sample: Bae5UWYG2L.exe Startdate: 19/11/2020 Architecture: WINDOWS Score: 92 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 2 other signatures 2->55 7 Bae5UWYG2L.exe 16 2->7         started        process3 dnsIp4 47 4cnx9s25gsvw.top 45.139.186.121, 49725, 49726, 80 HostingvpsvilleruRU Russian Federation 7->47 29 C:\Users\user\AppData\...\syZsNnTNps[1].vx, PE32 7->29 dropped 31 C:\ProgramData\...\appconfig.dll, PE32 7->31 dropped 57 Detected unpacking (changes PE section rights) 7->57 59 Detected unpacking (overwrites its own PE header) 7->59 61 Contains functionality to detect sleep reduction / modifications 7->61 12 WerFault.exe 9 7->12         started        15 WerFault.exe 9 7->15         started        17 WerFault.exe 9 7->17         started        19 9 other processes 7->19 file5 signatures6 process7 file8 33 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 12->33 dropped 35 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->35 dropped 37 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->37 dropped 39 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->39 dropped 41 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->41 dropped 43 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->43 dropped 45 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->45 dropped 21 conhost.exe 19->21         started        23 conhost.exe 19->23         started        25 reg.exe 1 1 19->25         started        27 7 other processes 19->27 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414/
Threat name:
Win32.Trojan.Glupteba
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 01:55:14 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
48069d5f27497d0ace8d6d583b36442c724913ef230b648f1f60f6a59cfd7589
70eb0335e1f9033bec0973ba114d5446442412a9069e05d0b0d7a403dc0b4fcf
ad45d231d336af58e53ed062c82024c28777b9cf0fc3592f9e8fb83c4142a0ff
bf250bbbd7b308f4679b2d825c53825f47e7f7d2e6f7a1320d5e6cc8a006ba5d
d893d3b0e8c2fa238a84eeec1adb6dec0853828d314873be41ee74280541b6d0
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201119-zljhwb4j52/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: RenamesItself
Program crash
Loads dropped DLL
Unpacked files
SH256 hash:
1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414
MD5 hash:
3f268b389f38ec192b277b9a25c98d5d
SHA1 hash:
1183033b53ace85fe7432d9192dae5c64a889b2a
Link:
https://www.unpac.me/results/09be557f-1ff9-44ef-9aa4-067c75da3713/
SH256 hash:
f96912b9444d7d352d21a03cb568f3e27d3df2fc1e4298ea15e2c9bea86309e8
MD5 hash:
a2c8142e9ca0cab89cbba79d2edd95a6
SHA1 hash:
0be192a3c60dd00bc6b92e1b01dfe24f1d8740c2
Link:
https://www.unpac.me/results/09be557f-1ff9-44ef-9aa4-067c75da3713/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 1d806080181a1cae20bd36f6508bd5f26bd3f4de7f34d82bdb77789682570414

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/828188/
  
Delivery method
Distributed via web download

Comments