MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
SHA3-384 hash: 1698700744454bcd22db899aac04a7521e1bf6e4fa550d531f3b8f1a7a40893e21ac4b25ade5f18be8718e686d07b7fa
SHA1 hash: b4ffeac7e7b25409b709377430dfe8821ca21e6e
MD5 hash: 7162fdf107c2d36f99c59d5435a4d399
humanhash: violet-salami-coffee-sweet
File name:1.dll
Download: download sample
File size:371'712 bytes
First seen:2021-10-12 23:09:39 UTC
Last seen:2021-10-13 00:09:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c7d8f2d1b9e135455150e0ea1a7960b
ssdeep 6144:RM8CPvvwq0YslcteDNCfgQ/Fkp8HuubxwHdy/6E6OuUNkTf:kvvwTYslTMIQQubxTNkD
Threatray 14 similar samples on MalwareBazaar
TLSH T1D1849D1677A04CB9E967823D8A678602E7F27C410B20CADF07A4076F6F37BD1597A721
Reporter malwarelabnet
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Documents.iso
Verdict:
Suspicious activity
Analysis date:
2021-10-12 23:10:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/02a2b80d-00a2-419e-bc3c-43506f0b841e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197053/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.78714.14260.13146.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/616615cffd35fe780c3bbd3a/reports/73c318b4-33e3-428d-951f-bdc198cedd57/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf6c81f0-32dd-4a13-81a5-81293f0b8bb9
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/869130
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501554 Sample: 1.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 72 94 Sigma detected: UNC2452 Process Creation Patterns 2->94 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 cmd.exe 1 10->16         started        19 rundll32.exe 10->19         started        21 rundll32.exe 10->21         started        23 4 other processes 10->23 signatures5 88 Uses ping.exe to sleep 16->88 90 Uses cmd line tools excessively to alter registry or file data 16->90 92 Uses ping.exe to check the status of other devices and networks 16->92 25 rundll32.exe 16->25         started        27 cmd.exe 1 19->27         started        30 cmd.exe 1 21->30         started        32 cmd.exe 1 23->32         started        process6 signatures7 34 rundll32.exe 25->34         started        48 2 other processes 25->48 104 Uses ping.exe to sleep 27->104 37 rundll32.exe 27->37         started        39 PING.EXE 1 27->39         started        42 conhost.exe 27->42         started        44 rundll32.exe 30->44         started        50 2 other processes 30->50 46 rundll32.exe 32->46         started        52 2 other processes 32->52 process8 dnsIp9 96 Modifies the context of a thread in another process (thread injection) 34->96 98 Injects a PE file into a foreign processes 34->98 54 cmd.exe 34->54         started        57 cmd.exe 34->57         started        59 cmd.exe 37->59         started        61 cmd.exe 37->61         started        86 192.0.2.186 unknown Reserved 39->86 63 cmd.exe 1 44->63         started        65 cmd.exe 1 44->65         started        signatures10 process11 signatures12 82 2 other processes 54->82 84 2 other processes 57->84 67 conhost.exe 59->67         started        69 reg.exe 59->69         started        100 Uses cmd line tools excessively to alter registry or file data 63->100 71 reg.exe 1 1 63->71         started        74 conhost.exe 63->74         started        76 rundll32.exe 65->76         started        78 conhost.exe 65->78         started        80 choice.exe 1 65->80         started        process13 signatures14 102 Creates an autostart registry key pointing to binary in C:\Windows 71->102
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10/
Threat name:
Win64.Trojan.Reflo
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 23:07:23 UTC
AV detection:
8 of 41 (19.51%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
314449ff757b308d440796441176566d3a6c17522dd75a8b24b70aab80458065
4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
508a816001e6d2f7b6617d9009e97c533d02d366055dad4eb17a9ee38915fa4b
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
b0912554158dfc4bad48096f61b9312405ee97e802447fdfa52ed64ee4bf023d
b23360e8388e32799d7ffa2e427131a8d5d9aa0dfa9c46c1392c1de9032be54c
e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211012-25p3rsdda2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
MD5 hash:
7162fdf107c2d36f99c59d5435a4d399
SHA1 hash:
b4ffeac7e7b25409b709377430dfe8821ca21e6e
Link:
https://www.unpac.me/results/65e33bd6-4540-468f-a79d-8dca18deff9c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197053/

Comments