MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90
SHA3-384 hash: a7310de6c45a1883da91c489ed894d5fd52f1656226dea3e8cb19df2a6859dd571f02a78c67d482350ff3b767b8eada2
SHA1 hash: af2a1b2101d70f11134079dd2b56b1aec8d3b9ca
MD5 hash: d845cf07a8c96a31df95ea65086e9eff
humanhash: echo-kitten-queen-arkansas
File name:248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90
Download: download sample
File size:39'360 bytes
First seen:2021-11-16 11:30:23 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash ab08e4629a75b80e4430d16f744bf656 (1 x Heodo)
ssdeep 768:BVt+iRrYS51RNM7Odcse/bqvV3ugE7skOTmYsT4dzQJX3Cke+cD:YiRrY6R27OdWo9ugEfSzvND
Threatray 11 similar samples on MalwareBazaar
TLSH T14F039E52611828E3D949577828E72B2F8F50FB23EED57071A0D0D4CBDA8ABD31B9C365
Reporter JAMESWT_WT
Tags:dll POLE CLEAN LTD

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206391/
Detection(s):
SecuriteInfo.com.Variant.Bulz.774921.21567.1975.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay packed
Link:
https://www.filescan.io/uploads/6193967943e8f62b66953aed/reports/18cf4937-8660-467f-8d75-c43332d88ddf/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/35e4b5e0-f39a-4743-835a-0fe9811bc917
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/890316
Signature
Antivirus detection for URL or domain
Found C&C like URL pattern
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 522789 Sample: EI0R2nhW87 Startdate: 16/11/2021 Architecture: WINDOWS Score: 92 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Antivirus detection for URL or domain 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 3 other signatures 2->57 8 loaddll32.exe 1 2->8         started        10 powershell.exe 18 2->10         started        process3 dnsIp4 13 rundll32.exe 1 8->13         started        17 rundll32.exe 8->17         started        20 cmd.exe 1 8->20         started        43 192.168.2.1 unknown unknown 10->43 22 conhost.exe 10->22         started        24 Get-Variable.exe 10->24         started        process5 dnsIp6 47 107.173.81.145, 49763, 49764, 49765 AS-COLOCROSSINGUS United States 13->47 41 C:\ProgramData\service.eXE, PE32 13->41 dropped 26 service.eXE 14 13->26         started        49 System process connects to network (likely due to code injection or exploit) 17->49 31 service.eXE 17->31         started        33 rundll32.exe 20->33         started        file7 signatures8 process9 dnsIp10 45 188.130.139.47, 49767, 49771, 49774 ASKONTELRU Russian Federation 26->45 39 C:\Users\user\AppData\...behaviorgraphet-Variable.exe, PE32 26->39 dropped 59 Uses schtasks.exe or at.exe to add and modify task schedules 26->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->61 35 Get-Variable.exe 14 26->35         started        37 schtasks.exe 26->37         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90/
Threat name:
Win32.Trojan.Drixed
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 02:37:09 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=esf74gkvzc6vdlu36zrru674jydp4lo5bnujatn2jeqpjyjrn2ia._file
Verdict:
malicious
Similar samples:
4d52f61961a8e584db24d2162cdcd12781bc4f63e32171964a51410421108401
6b74dc043f9a12823ed98d704e4c8543c9b5d8b9240e65e9d31d2303ab914906
785968cadb71152d2005691e064aeabd29136be4abff0ee932529110e319053e
7c964794e19b093b78a81da3b8dcafbe3d32153a044c19f6892829ed9ff71f46
851b9e416b22c80a435f7d11f0298272ad23a4ae49f6fbe23aafa0578c400bd0
a334885a72d65b2920f247d4a15de104e1b020713f08964316e566d8323bd474
c20d234ede75420204169f9b4b58bb30fd9907b6f0cc9eac77f7f133529ac5f9
d36674d4c3214e0b0560c6e172bb1765e085892959472afdda2f1debda84ca9d
dcb1145f599d5d198923781c0752a2c9c5906064138dab0f532fee5ab1e9aaf7
f5fd02ebd2376fd1bc1ff121e9bfda618755a5c049edc8a4288eb67eb1cc7f9b
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211116-nmp36adeg3/
Behaviour
Suspicious use of WriteProcessMemory
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90
MD5 hash:
d845cf07a8c96a31df95ea65086e9eff
SHA1 hash:
af2a1b2101d70f11134079dd2b56b1aec8d3b9ca
Link:
https://www.unpac.me/results/263b0bd7-cfb4-4ee0-9c31-21d75c677138/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/248bfe1955c8bd51ae9bf6631a7bfc4e06fe2ddd0b68904dba4920f4e1316e90

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206391/

Comments