MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20024275bdc24c816fc87095f7619efbf9dfb12aae1ce64e492378d26a7ecc0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20024275bdc24c816fc87095f7619efbf9dfb12aae1ce64e492378d26a7ecc0b
SHA3-384 hash: 6dc017577f26ec9dc05800da7a6946d7d9ea2a6a0e537bff5c47f0eba09e705be36df4cbb5b233fa757306c0a0313876
SHA1 hash: 15a17570eef0c9b2c39794652e0e89ec0736b34f
MD5 hash: 0936982741c352bb418d017c4bb42d3f
humanhash: oregon-pluto-oregon-beer
File name:战神传奇.exe
Download: download sample
File size:6'568'192 bytes
First seen:2023-01-05 18:57:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 296df6d34c5cd51c253772b859775151 (1 x AsyncRAT, 1 x RecordBreaker)
ssdeep 196608:F4HKDQBKkXy+XWt815j5tDobSUFQHe/+iInaS:FaK0BK+Hvj5t0ZFQHgS
TLSH T118663364BAC415BAD1271F306DAAC259586AFB207E3C048377DF050C9E7E3A7B71631A
TrID 33.2% (.MZP) WinArchiver Mountable compressed Archive (3000/1)
22.4% (.EXE) OS/2 Executable (generic) (2029/13)
22.1% (.EXE) Generic Win/DOS Executable (2002/3)
22.1% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon d3c769258525555f (1 x Cybergate)
Reporter atomiczsec
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
战神传奇.exe
Verdict:
Malicious activity
Analysis date:
2023-01-05 18:59:36 UTC
Tags:
loader
Link:
https://app.any.run/tasks/12f3e87a-1671-4ba3-b58d-26ee438540c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/349769/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a window
Creating a file
DNS request
Searching for the window
Sending an HTTP GET request
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug dllhost.exe overlay packed regsvr32.exe replace.exe shell32.dll
Link:
https://www.filescan.io/uploads/63b71dbd0e926711fd771696/reports/68f31a5d-0f23-4b82-a1d4-6b20d5265494/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1b3b84c2-ca83-446d-a812-2c9afc7a116f
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1145850
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PE file has a writeable .text section
PE file has nameless sections
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20024275bdc24c816fc87095f7619efbf9dfb12aae1ce64e492378d26a7ecc0b/
Threat name:
Win32.PUA.GameHack
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 18:58:19 UTC
File Type:
PE (Exe)
Extracted files:
188
AV detection:
14 of 26 (53.85%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eabee5n5yjgic36iock7oym67p457mjkvyoomtsjen4ne2t6zqfq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230105-xmglfsch44/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Downloads MZ/PE file
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/641238e5-8af4-42b4-947a-899d0ac46ee0
Unpacked files
SH256 hash:
fda6a046ccaa6bbb1a5f7c75e9ff7d936aaf841d1fbced495141604dcac081a8
MD5 hash:
048e4659465b2f39511cf2e81a7e5a3b
SHA1 hash:
f447e872bb8d0878d9a708ff661be523361464dd
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
79179bf00d61139159dad10cec770e034376d2daede340ce643febcfd2b29ddf
MD5 hash:
29be85a6a9fba5739b6475e6592d7279
SHA1 hash:
9885cfaf7471e0ac667f7722b398e3b7849355ca
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
dadca335ab25517609326de40001ea5aaeb0bfa1139f3458df26b07209dc121b
MD5 hash:
5f2a0d681844db68511822247258b551
SHA1 hash:
8fc493af235064349122c82d6bdfb010762734c3
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
feb8d6f800c5e4c59b7310ef71b0bf4cbebb9ad84d2238759058468e654a2abe
MD5 hash:
52099dc0826923842a8e015566fc3fcd
SHA1 hash:
8d5f1e81ca3679c3f9265bdff1b42e3d81f66ce8
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
26bee0363de4645a035813f3118d69b5008200e92df1c215fd611246e7619513
MD5 hash:
13bf56795209c6a48ec7be52a112dc50
SHA1 hash:
87fa7b572c20f16c16324fc022bc7fa24fc9fbe0
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
d8e895e55f22bc0cd93166a91171ced3da410fc928060261ddadcdeebfb992ca
MD5 hash:
82dff13bfe804b14b910627591f599b6
SHA1 hash:
6e6c6c8470da8ed644f87298b22cc1170a4e62de
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
afb4fa198bfa7843701b5646658029a52fc56ff82854ba3e9b2476ee6b8c361f
MD5 hash:
6014dbf738d8768ca9a744ccc5bf2de2
SHA1 hash:
4579ce04da8207c34d5678ab2a86bc40b0c11a7a
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
28db69bcfe0370748cbb4e3642a1bae3071cb3304b1bb678c730f623dde992f1
MD5 hash:
97c01b31126cf0f5953593d1c06925b0
SHA1 hash:
29600dd0060c0402a16a9e44add7ae2f903cdd8e
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
8e9599bf7a23f1f4f140b43d99f5044ed892ff966600365084925e6113ab3d77
MD5 hash:
b3da86331f42d750dd146ca223d449a5
SHA1 hash:
94fd1aec5c21a17021e88d8a878a17077c8f3816
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
41e5a04ca2f4bc37823148316c46accde2368f2d6693fa64358e36687df6d846
MD5 hash:
b430d4b44993270df3be6a04f025ceb6
SHA1 hash:
5283b91ba838ac725630b553539143bfefa3578d
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
SH256 hash:
20024275bdc24c816fc87095f7619efbf9dfb12aae1ce64e492378d26a7ecc0b
MD5 hash:
0936982741c352bb418d017c4bb42d3f
SHA1 hash:
15a17570eef0c9b2c39794652e0e89ec0736b34f
Link:
https://www.unpac.me/results/44283f1f-83bd-43c7-959c-1caba2b4ec37/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20024275bdc24c816fc87095f7619efbf9dfb12aae1ce64e492378d26a7ecc0b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:INDICATOR_EXE_Packed_Loader
Create hunting rule
Author:ditekSHen
Description:Detects packed executables observed in Molerats
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349769/

Comments