MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
SHA3-384 hash: fda82b8bd19f4b8b8e70f4f6ffcbffe60b2346cabf30c23fcaf1c35a52262afe8f563323bf60c4b5d0a0d806dbb856e0
SHA1 hash: 17356b91dd8292bddea7300c3a9fc1a98fccd11f
MD5 hash: af36c20219a8f5fa58d205a9e5db1cc1
humanhash: five-seven-virginia-social
File name:af36c20219a8f5fa58d205a9e5db1cc1
Download: download sample
File size:2'831'872 bytes
First seen:2021-12-20 14:23:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 42b27a080e9ee0252f310f33fbc7cafc
ssdeep 49152:Ep3E17UuOvitzFLoCpu+8rgTlQe8cc6i2hddOlUWHYb5OlE0maX3K8Z:Ep01QudD8rgpQe8cc6iad5zaXx
Threatray 8'343 similar samples on MalwareBazaar
TLSH T1F7D5332A9B45CB47C5D69C73F6B3E405C2012FA52E71EE20A4BF1154BF2B99FE2095B0
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215476/
Detection(s):
SecuriteInfo.com.Trojan.Clipper.84.12695.24896.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2761/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
packed virus
Link:
https://www.filescan.io/uploads/61c092058991ba72b38e9b0a/reports/5e1ee9f1-e801-4bc0-b5af-a086b28f8e6d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3aa63023-9535-4167-9864-a519fc60d764
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/910306
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81/
Threat name:
Win32.Packed.Themida
Create hunting rule
Status:
Malicious
First seen:
2021-12-20 12:40:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 28 (85.71%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
0e9d7dd7f56cf707f449e9c046499f2b0a4a953794af5e7a15d3a6d5971594ef
32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
3836136ddb7cfa2fc48e44c6b385da79df47380445f4c4fdaf552cf0aeb09816
42173b9b5ae6bcec8b65312e270633a3df6fa4355c9ac4973486291f0fcd8052
70797599ab85bc7961922e179e9836d64e85a9ed21f85877442529d0d23daad5
8f983b92dea0643ef2b8411e5506def0c0235b1addd4daa9d13e59ff4f88a1ef
96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3
e13fb6156b386d9cea3a46c3835a97636ad0eeddda3b354f86f19915721638fc
f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138
f1625b7d5fbc31ce741aeaa3af8d20d7cc7d07d6652b3b873b26a6a81e70e32a
+ 8'333 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211220-rqp44saha6/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6f86acd01f7ce854719f031c11414a117a835721707191dce0ad1aa2bb04eb02
MD5 hash:
72bbfca4d1b1c77537068f840ba1e711
SHA1 hash:
49bea3561a6e563cf3b61075114bc042ee9546b6
Link:
https://www.unpac.me/results/f01e3691-05f1-4ac1-9155-9aac3811f769/
SH256 hash:
3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81
MD5 hash:
af36c20219a8f5fa58d205a9e5db1cc1
SHA1 hash:
17356b91dd8292bddea7300c3a9fc1a98fccd11f
Link:
https://www.unpac.me/results/f01e3691-05f1-4ac1-9155-9aac3811f769/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3276687dad3c0a8d82bd752b2591c7d0b89c823a2e9761b4db8c95e9cd842f81

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/215476/
  
URLhaus
https://urlhaus.abuse.ch/url/1902381/

Comments


Avatar
zbet commented on 2021-12-20 14:23:48 UTC

url : hxxp://liotuo01.top/download.php?file=librid.exe