MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c
SHA3-384 hash: 8230b617c100f25515fa85d422d52c481bfb38546e6a4d6e084b4422cca65869fe99196b0d40f4e1543a5e56f34adabe
SHA1 hash: 9b9b131522eb55910ee2199768f4a2d7cf36092d
MD5 hash: d0efa396aec4477851bb35136c716732
humanhash: oxygen-kentucky-emma-pluto
File name:daiparl (1).exe
Download: download sample
File size:3'402'720 bytes
First seen:2021-09-28 09:44:33 UTC
Last seen:2021-09-28 12:08:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 49152:tqe3f6aXdXWOfI7wgBVJYWBX/Ac4cxaMsm1wezopmJedSffPMWrQ0Zke:8SiaXEOfI51CMsmuIJNnPcM5
Threatray 86 similar samples on MalwareBazaar
TLSH T155F5013FF268A53EC46E1B3245B39250987BBA61681A8C1F07FC390DCF765601E3B656
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter JAMESWT_WT
Tags:arostetelemacca exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
daiparl (1).exe
Verdict:
Suspicious activity
Analysis date:
2021-09-28 10:03:55 UTC
Tags:
installer
Link:
https://app.any.run/tasks/bea65efa-891b-4e69-9980-5ec0cec3a200

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/192646/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/5ce24258-8a48-4c3a-94da-6f3e6212e761
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/859697
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Copying Sensitive Files with Credential Data
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492128 Sample: daiparl (1).exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 72 53 imagizer.imageshack.com 2->53 55 h9i4k4c8.stackpathcdn.com 2->55 65 Multi AV Scanner detection for submitted file 2->65 67 Uses bcdedit to modify the Windows boot settings 2->67 69 Sigma detected: Copying Sensitive Files with Credential Data 2->69 9 daiparl (1).exe 2 2->9         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\daiparl (1).tmp, PE32 9->43 dropped 12 daiparl (1).tmp 3 16 9->12         started        process6 file7 45 C:\Users\user\AppData\Roaming\WMDRMSDK.dll, PE32 12->45 dropped 47 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 12->47 dropped 49 C:\Users\user\AppData\...\googlesystem.exe, PE32 12->49 dropped 51 2 other files (none is malicious) 12->51 dropped 71 Uses bcdedit to modify the Windows boot settings 12->71 16 Chrome.exe 1 12->16         started        19 cmd.exe 1 12->19         started        21 cmd.exe 1 12->21         started        23 5 other processes 12->23 signatures8 process9 signatures10 57 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->57 59 Hijacks the control flow in another process 16->59 61 Writes to foreign memory regions 16->61 63 Allocates memory in foreign processes 16->63 25 notepad.exe 16->25         started        27 conhost.exe 19->27         started        29 mountvol.exe 1 19->29         started        31 conhost.exe 21->31         started        33 setx.exe 1 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        39 conhost.exe 23->39         started        41 2 other processes 23->41 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c/
Threat name:
Win32.Downloader.Penguish
Create hunting rule
Status:
Malicious
First seen:
2021-09-24 07:33:12 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
389c556e30252966f34f1bc23348e182af2c0883771f9c8abe299a8ba54b1f6a
3f145e6eb89b9f7f01080d21b89ea423b288eaa00c8d760e5cb40b6ef5e0b366
5aa9861dcb5890caaadd311b1eed80e2ae65bd0d46937cc3bdee4757da908fc6
5b9eef2199515e5bf4cd00a176b35747f8bc9984183213fec864aca2c1918a70
66dfb7c408d734edc2967d50244babae27e4268ea93aa0daa5e6bbace607024c
88c109e8bca8a35c02efa6ce6f27bb714d16623382cd8181011e8776c5f017a5
9ccce653cb66833e9396151f5bc65f6c2744d955a9eaedad81eccd3da252803e
cb4f55308ba1f8617c00505983b42da10d704960a1dbef03075f370015f6f21b
d8eb5792d969c21c364da69eca1322ab5f63e0a39b0e542bad4ee95be873c296
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210928-lq26sabdg9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3f6e45c4072a09e985d764f72b3fed05d4e284f3a0d53b05b691c7de6e02e8eb
MD5 hash:
e7772da490bec982d110aea689c1b927
SHA1 hash:
d6fe58391cfd78d76c793963ab3265138fda7d21
Link:
https://www.unpac.me/results/e169de08-e367-44b4-9990-4a81b06f5a0e/
SH256 hash:
27da15728d96b073d05d01d801c723cade28a62f84c51ba1655a0d5c5b81c927
MD5 hash:
1478ce8ea39be0965e6084d53cee44ca
SHA1 hash:
4fff4f326425eee6689edf1db6ef5855af8a4f27
Link:
https://www.unpac.me/results/e169de08-e367-44b4-9990-4a81b06f5a0e/
SH256 hash:
accf990d04d02a9d26ecff0ffff31db63e4ef6e1fbfc4fc274f5bb06fa90ce06
MD5 hash:
c6eb26703d6ecbb61cba042368295d4a
SHA1 hash:
0e41c106c74d1ee4481ee26943047c727253a586
Link:
https://www.unpac.me/results/e169de08-e367-44b4-9990-4a81b06f5a0e/
SH256 hash:
d6ab300900dc201a4c38e7bf292675a49e62880786ecc941973427b677b8bd2e
MD5 hash:
4a61ca0c7aa61d64fcbfbc5464389b10
SHA1 hash:
3711b72782d900ee58d42963aca70bd8c7b33469
Link:
https://www.unpac.me/results/e169de08-e367-44b4-9990-4a81b06f5a0e/
SH256 hash:
268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c
MD5 hash:
d0efa396aec4477851bb35136c716732
SHA1 hash:
9b9b131522eb55910ee2199768f4a2d7cf36092d
Link:
https://www.unpac.me/results/e169de08-e367-44b4-9990-4a81b06f5a0e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/268525c7023d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 268525c7023d25f141e7b756092d7566a1d1ce9407d3d31325dd4bf231208d6c

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646531/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192646/

Comments