MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
SHA3-384 hash: 3e740a068c1ab2216d93d274b3e8fa7c7507a06ca873fa0a94065cc36eaffd725c808c544998488f83f0204241c2cc29
SHA1 hash: 8c58e0e886a615cee214ae5d861991cb95739026
MD5 hash: 9f883f2908f53b5fb73c1be1a271f740
humanhash: september-oregon-mango-romeo
File name:9f883f2908f53b5fb73c1be1a271f740
Download: download sample
File size:2'849'792 bytes
First seen:2021-12-19 08:57:43 UTC
Last seen:2021-12-19 11:01:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 42b27a080e9ee0252f310f33fbc7cafc
ssdeep 49152:6OH16R/I22DHXu9c92R6TzHY1jcvO8xzr0rYxGf5NXxCvhQw:OR/I2QHF92MTzHY1jcvNh0/fbXxCb
Threatray 8'309 similar samples on MalwareBazaar
TLSH T17FD53359854699EFF3A20EB41D0CDCD408877BE49ACC3573D63F0A5D723A40E7A285EA
Reporter zbetcheckin
Tags:32 exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/215253/
Detection(s):
SecuriteInfo.com.Trojan.Heur.GM.0000436180.8340.24281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
DNS request
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a window
Result
Malware family:
n/a
Score:
  0/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/2599/overview
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed scar virus
Link:
https://www.filescan.io/uploads/61bef41d4ab5c44cbf48d362/reports/a9a2fc3e-e3ef-416c-a172-8b6c06f40266/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/179e391f-a688-435c-9e3c-650db956f816
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/909773
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6/
Threat name:
Win32.Trojan.Witch
Create hunting rule
Status:
Malicious
First seen:
2021-12-19 08:11:10 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3836136ddb7cfa2fc48e44c6b385da79df47380445f4c4fdaf552cf0aeb09816
7805fe3ed51586271c54f625091f394625e087a4157e3ad45e0222786772de8c
96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3
c386cf7d338f42a76cdc369c9d6d43f2ab6dca0853f80f0cee4770731ea18264
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
dd2867c397375bafb2706c13226805a2877725d93f61938b9f90a3a1f568f6c0
e2ab039851029d1511405468f5cbc7c6bb046a7005c7503078ebab6ef3708ed7
f0023f0cdf72f620b0d65713aa917d8f8a409b193e6031fa2fe2e4439b152138
+ 8'299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/211219-kw6kqaghfm/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
992b98022fc8fb0efe4b6d9d95614ef4c169ef07e24f9338444649bc09f0edb9
MD5 hash:
4c8031f3919b535fba9477673586b955
SHA1 hash:
0e349cf5ced3f9aaa7bdb53b393e86fa9229e165
Link:
https://www.unpac.me/results/d20f7823-6f17-4787-8707-2fe653f8ada8/
SH256 hash:
32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6
MD5 hash:
9f883f2908f53b5fb73c1be1a271f740
SHA1 hash:
8c58e0e886a615cee214ae5d861991cb95739026
Link:
https://www.unpac.me/results/d20f7823-6f17-4787-8707-2fe653f8ada8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 32ecdeb650c1a54310c61847b3c86732290a4df1b51e95238868555e144ca9a6

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1897797/
Cape
Cape
https://www.capesandbox.com/analysis/215253/

Comments


Avatar
zbet commented on 2021-12-19 08:57:44 UTC

url : hxxp://ekuqap10.top/downfiles/gallah.exe