MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2
SHA3-384 hash:	7340814a6f8642574516228b6bf63c158d737c65735e3f0d1d2ee2562c57b1e3f1fc32748190e76d2cecfb02b4f6cd8c
SHA1 hash:	f60c2bf8b00efaf508bc3f27a30d416389b3c9ea
MD5 hash:	6b2532726499d8ac2ffd7b73c91d9139
humanhash:	salami-hawaii-quebec-harry
File name:	十一月份公司值班人员调班通知.cmd
Download:	download sample
File size:	557'056 bytes
First seen:	2020-11-12 19:03:52 UTC
Last seen:	2024-07-24 12:38:17 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	44f89579eb361ed4b01c0935367527d6
ssdeep	6144:Ko5Pghw3miIHzAzMNsdYOrRrRZJ/jr5MR6p:Kor3miIHoMOdYOrR9DCAp
Threatray	1 similar samples on MalwareBazaar
TLSH	96C4C10DA493BCE9F622CDFC08ADA365EA1A3D90874135CB117CF67916BDAD1A1313C6
Reporter	Anonymous

Anonymous

Delivered via Telegram

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.W32.AIDetectVM.malware1.32601.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Sending an HTTP GET request

Creating a file

Delayed reading of the file

Creating a file in the %AppData% subdirectories

Deleting a recently created file

Searching for the window

Creating a process from a recently created file

DNS request

Sending a custom TCP request

Enabling autorun by creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2020-11-12 23:42:03 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

suspicious

Result

Malware family:

n/a

Score:

8/10

Tags:

vmprotect

Link:

https://tria.ge/reports/201112-5xlyl1dzt6/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates connected drives

Loads dropped DLL

Executes dropped EXE

VMProtect packed file

Unpacked files

SH256 hash:

2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2

MD5 hash:

6b2532726499d8ac2ffd7b73c91d9139

SHA1 hash:

f60c2bf8b00efaf508bc3f27a30d416389b3c9ea

Link:

https://www.unpac.me/results/17061fe0-68bc-4c92-b2b1-d2c24e4b7c8f/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample