MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Hive

Vendor detections: 9

Intelligence 9 IOCs YARA 10 File information Comments

SHA256 hash:	2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f
SHA3-384 hash:	b9317875f7230bfeabe0e79f41ca66a8f1c7ac4cd67437ae3b702ad12e537ac78f432a55e0e3487a1ff32ac36d91b4a3
SHA1 hash:	f7af4aaaede1f17f5697958a7ec4b884ea4fd38c
MD5 hash:	074b640fedb42b86bfeb83b15a32b6fd
humanhash:	cat-salami-high-oranges
File name:	2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f
Download:	download sample
Signature	Hive Create hunting rule
File size:	2'521'088 bytes
First seen:	2022-09-24 05:59:29 UTC
Last seen:	2022-09-24 07:02:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	9cbefe68f395e67356e2a5d8d1b285c0 (61 x LummaStealer, 49 x AuroraStealer, 45 x Vidar)
ssdeep	49152:wQ48xW13FHrb/TSvO90d7HjmAFd4A64nsfJxP60Ng4GdzT5/xbD1BNQXSpJrpqVt:wB3eTdViLQ
TLSH	T182C57C43BC90A4B5C9EA92328A7992917731BC590F3077D73B10B6BA2F727C05E79364
gimphash	adaccd4d1b219b3f3835e13efdccbd671475c47dc1a7e5f12f44b31e7a292a45
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter	JAMESWT_WT
Tags:	bat loader exe exe Hive morpheus

Intelligence

File Origin

# of uploads :

# of downloads :

354

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f

Verdict:

Malicious activity

Analysis date:

2022-09-24 06:01:11 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/632ee1c2-2bf3-44e4-80ca-efbfc5c36bb4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/312767/

Detection(s):

SecuriteInfo.com.PossibleThreat.PALLASNET.M.8422.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/38706/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

golang greyware packed

Link:

https://www.filescan.io/uploads/632e9ce88bbb4941c6e4f177/reports/d8b970e8-bd1a-4e42-9937-076db66ab251/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5c659600-3804-407c-ad62-10b37db812a5

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/1076303

Signature

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eycgi7ds6swtfb7n7btav5apxiq62s75jn2kbogruv6bmpbhfshq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/220924-gqbavacacp/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d27ddb64-d591-4b1f-bf00-296da5770810

Unpacked files

SH256 hash:

2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f

MD5 hash:

074b640fedb42b86bfeb83b15a32b6fd

SHA1 hash:

f7af4aaaede1f17f5697958a7ec4b884ea4fd38c

Link:

https://www.unpac.me/results/89e38a04-39d1-4e74-9085-39a6929a6f58/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/2604647c72f4ad3287edf8660af40fba21ed4bfd4b74a0b8d1a57c163c272c8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	identity_golang Create hunting rule
Author:	Eric Yocam
Description:	find Golang malware

Rule name:	methodology_golang_build_strings Create hunting rule
Author:	smiller
Description:	Looks for PEs with a Golang build ID

Rule name:	RansomwareTest3 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest4 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

Rule name:	RansomwareTest5 Create hunting rule
Author:	Daoyuan Wu
Description:	Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/312767/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample