MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac
SHA3-384 hash: e3f5b4ec28ef046034342bd1422f1f9970ec825cd6ae7bf3d2689b21984a7609959ce2a5444ca929985278df8de05cbc
SHA1 hash: 1c957b5db15fa270347572103fd4b8c309662ab4
MD5 hash: aa869db51c9a1546999c67bb574cc933
humanhash: happy-moon-blue-golf
File name:32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac
Download: download sample
File size:4'277'848 bytes
First seen:2021-07-12 07:11:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 93a138801d9601e4c36e6274c8b9d111 (11 x CobaltStrike, 9 x Snatch, 8 x LaplasClipper)
ssdeep 49152:7CT6tW0G0MX7RK854yXh2MD74ugpiWcuAercnqKR3SWaKAisywIGjg+AYAwgQAwI:7qP0GFXhBD7jWHAerM0KtB+AQC
Threatray 179 similar samples on MalwareBazaar
TLSH T19A166C50F9EB84F5EA035A3048A7A37F6330B6099738DBD7C6449E67F927AD10933216
Reporter JAMESWT_WT
Tags:BIOPASS exe signed

Code Signing Certificate

Organisation:Rhaon Entertainment Inc
Issuer:thawte SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2019-01-02T00:00:00Z
Valid to:2021-03-02T23:59:59Z
Serial number: 06808c5934da036a1297a936d72e93d4
Intelligence: 35 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: b3ba6284885eadff7d2f7469c8c4aa2facc804ef21e54266fc543cc28e7c0cd4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac
Verdict:
No threats detected
Analysis date:
2021-07-12 07:46:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3d0d708f-1312-411a-848a-168686984eba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170964/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Malware.gen.19341.12870.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/46719d7e-3408-44de-86ba-9d7510f1a786
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
54 / 100
Link:
https://www.joesandbox.com/analysis/814597
Signature
Drops PE files to the user root directory
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447008 Sample: Yfp7FumWl3 Startdate: 12/07/2021 Architecture: WINDOWS Score: 54 94 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->94 96 Multi AV Scanner detection for submitted file 2->96 98 Sigma detected: Execution from Suspicious Folder 2->98 12 Yfp7FumWl3.exe 56 2->12         started        17 VC_redist.x86.exe 2->17         started        19 ServiceHub.Host.CLR.exe 2->19         started        process3 dnsIp4 92 flashdownloadserver.oss-cn-hongkong.aliyuncs.com 47.75.19.237, 443, 49714, 49715 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 12->92 78 C:\Users\Public\vc.exe, PE32 12->78 dropped 80 C:\Users\Public\Silverlight.exe, PE32 12->80 dropped 82 C:\Users\Public\ServiceHub\winsound.pyd, PE32+ 12->82 dropped 84 47 other files (none is malicious) 12->84 dropped 102 Drops PE files to the user root directory 12->102 104 Uses ping.exe to check the status of other devices and networks 12->104 21 cmd.exe 1 12->21         started        24 PING.EXE 1 12->24         started        27 cmd.exe 12->27         started        29 cmd.exe 12->29         started        31 VC_redist.x86.exe 17->31         started        file5 signatures6 process7 dnsIp8 100 Uses schtasks.exe or at.exe to add and modify task schedules 21->100 33 vc.exe 3 21->33         started        36 conhost.exe 21->36         started        90 baidu.com 220.181.38.148 CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation China 24->90 38 conhost.exe 24->38         started        40 conhost.exe 27->40         started        42 powershell.exe 27->42         started        44 schtasks.exe 27->44         started        46 conhost.exe 29->46         started        48 powershell.exe 29->48         started        50 VC_redist.x86.exe 31->50         started        signatures9 process10 dnsIp11 68 C:\Windows\Temp\...\vc.exe, PE32 33->68 dropped 53 vc.exe 71 33->53         started        88 192.168.2.1 unknown unknown 50->88 70 C:\Windows\Temp\...\wixstdba.dll, PE32 50->70 dropped 56 VC_redist.x86.exe 50->56         started        file12 process13 file14 72 C:\Windows\Temp\...\VC_redist.x86.exe, PE32 53->72 dropped 74 C:\Windows\Temp\...\wixstdba.dll, PE32 53->74 dropped 58 VC_redist.x86.exe 25 18 53->58         started        process15 file16 76 C:\ProgramData\...\VC_redist.x86.exe, PE32 58->76 dropped 61 VC_redist.x86.exe 58->61         started        process17 process18 63 VC_redist.x86.exe 64 61->63         started        file19 86 C:\Windows\Temp\...\wixstdba.dll, PE32 63->86 dropped 66 VC_redist.x86.exe 63->66         started        process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2020-12-28 20:50:46 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
6 of 46 (13.04%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6
3816722f95463c51bb6203427a2c1947332e231bea0cd1297abfb8b89d109326
3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444
3e8f8b8a5f70c195a2e4d4fc7f80523809f6dbf9ead061ce8ef04fb489a577cf
5dc4c9f9b91f1d349aa12569b1c9e792710adbc5d8e200b89f92c920008901fc
b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea
c11906210465045a54a5de1053ce0624308a8c7b342bb707a24e534ca662dc89
cf76d84527415e188f5954b3c7289ad60f3b36ad0aedb913c53cf398243609a9
e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c
fa7fbca583b22d92ae6d832d90ee637cc6ac840203cd059c6582298beb955aee
+ 169 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/210712-nl7pq1wwza/
Behaviour
Checks SCSI registry key(s)
GoLang User-Agent
Modifies data under HKEY_USERS
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks installed software on the system
Loads dropped DLL
Downloads MZ/PE file
Executes dropped EXE
Unpacked files
SH256 hash:
32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac
MD5 hash:
aa869db51c9a1546999c67bb574cc933
SHA1 hash:
1c957b5db15fa270347572103fd4b8c309662ab4
Link:
https://www.unpac.me/results/2988c669-514b-45a2-8487-bece3e1da1a2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32a3934d96a8f2dae805fa28355cd0155c22ffad4545f9cd9c1ba1e9545b39ac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170964/

Comments