MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3
SHA3-384 hash: f446c31d40f78027ea1953bbf0b9598422fcff73aef69dd2db9d21dd3a614138e8d059f7867c65f2b98ac512acaa9d96
SHA1 hash: c7f9176ed2615364fb02d454918425814d52d4bf
MD5 hash: dca247cda2f20152feb8cf6b410fc093
humanhash: william-india-three-seventeen
File name:227d13f9a142cc6f050b7761e6c6e1bae712c4440730ec71c84e5acb274555e3
Download: download sample
File size:250'880 bytes
First seen:2020-06-10 11:45:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qVXQF/5/FXRCy1PJ/V3RnlfZflXx31PJfdEjxHxj5/JThXxzZ/5DRHxD5/JTh3xS:2XQF/5/FXR31PJ/V3RnlfZflXx31PJf/
Threatray 1'139 similar samples on MalwareBazaar
TLSH DF34E8AE5719EF66E937B672500210424155F8C32DABF3BB9B8134A68D01E8C0FD6ED7
Reporter JAMESWT_WT

Intelligence

File Origin
# of uploads :
1
# of downloads :
56
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 09:47:41 UTC
File Type:
PE (.Net Exe)
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0424b503bc1150372d0e31c85f9cef36d0b656a7c0d3f59663e6a468d0d7ba00
2d0eb35f04745646d8c6eb3d1ab1c3e8bc8c30f1a9dc0ad89ea260e898ed9d4e
45e9481702b87e03705d35c12c5a8a3d795d42f91d562cba539999846c729686
4ae809a33d01626e77dcfd591902815692405d2fa1f6ae7df13ca248507e4562
65ac9daf3070161ac996fb8946632599547f1c9450d7dcd0f8dc1c85b4e8b3b7
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
9a4e6b6a25332f21e4e15bd5c67ea1613db78bf02fa3cef2eba47f27723f8d58
b23eb66e588b47a73b393c87467b0b2b0431d9d346368efeaa36a76c7877cd27
c855a83b6b0b51c9e9bc1b2676d5644f1c578b87734517ce63820ca33d155707
ea6bafd96818930f83200987d64c970ad03afcae9d69fbde9dd18f2ace154a99
+ 1'129 additional samples on MalwareBazaar
Result
Malware family:
dharma
Create hunting rule
Score:
  10/10
Tags:
family:dharma persistence ransomware spyware
Link:
https://tria.ge/reports/201109-8klfw4zlsn/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Interacts with shadow copies
Drops file in Program Files directory
Drops file in System32 directory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies extensions of user files
Deletes shadow copies
Dharma
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments