MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 5 File information Comments

SHA256 hash:	3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163
SHA3-384 hash:	3f38d00c37e9b5e5de4197fd5f08eaaa6bdbcf33375b8e1187cd7d87403436dcacf45463aa583a5c07378e4b2c786a10
SHA1 hash:	5400ff76e2f46ad026e501c0a90cce36fa43c631
MD5 hash:	90555333e767c4f1254a74fa8a793d2b
humanhash:	nevada-cola-mango-fourteen
File name:	3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163
Download:	download sample
File size:	1'568'768 bytes
First seen:	2021-06-09 22:46:13 UTC
Last seen:	2021-06-09 23:37:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	e46104cff241b795c3b20f9431c74064
ssdeep	24576:mJ24dUNXvw/O1yKYcQXYhpQAvdjeTAbwW/tCTEWChPGK:mptWAYJjeTIqToZ
Threatray	36 similar samples on MalwareBazaar
TLSH	3075BE191BA742A2DB153779C9B696A409191F431F28C0B66E310D1EBD2724FFC23EBD
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

161

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163

Verdict:

Malicious activity

Analysis date:

2021-06-10 09:23:59 UTC

Tags:

installer

Link:

https://app.any.run/tasks/4537b792-5290-4c8b-9aa9-4201d99cf03c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/165720/

Detection(s):

SecuriteInfo.com.BackDoor.Farfli.131.3199.3572.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the Windows directory

Creating a window

Sending a UDP request

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163/

Threat name:

Win32.Trojan.TrickBot

Status:

Malicious

First seen:

2021-06-06 15:56:00 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Verdict:

suspicious

248c72c5eb7823243a820b9935e49534d8a94b91a6528afd8db98c9e8f56fbc0

389ddb82e254c476a6e3e2534182314d4702ce525371c2bcd5da6ef19d4851fb

3ce7a091f24c19dd1a0875c60f9e97ee017435614198c62ca97220658723b785

43919cb86c587b0587b051f513b236247e4fd95cba88a8198e30c4603082cad8

8872e76ffc38017c1b3ef4b07756edb26c82cf45cceb8ed4d8c153c358fb5674

979405efabab43a36e009a0bd005b01d4a4faf9113d14e3fc78865eb461bbc61

a66d1021e54269963e9a54892869d569ffa1c74d9fb1b67f023ea5fdfd90c1a6

ea45f9b3dd2e613bb9cb0659dcf6d66ca092738fc510e37226bb99542ad685c8

eb6478f051ae5b16921ed95f6a2f761512c79787ac2b54f0d00742ad526c34b8

+ 26 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

6/10

Tags:

persistence

Link:

https://tria.ge/reports/210609-gq2dbas2z2/

Behaviour

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Drops file in Windows directory

Adds Run key to start application

Enumerates connected drives

Unpacked files

SH256 hash:

b2a3ea6f79a2d7c8d7a111f8d6151a666822afbc95089b15ea5ca3b04d588b60

MD5 hash:

ab07d9637b29946cb5e1dc9b3cd936fd

SHA1 hash:

a197ec1378968db64a8668575fff658681d1d336

Link:

https://www.unpac.me/results/9e7b8a79-9e0d-4fff-873d-f750283ae65e/

SH256 hash:

3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163

MD5 hash:

90555333e767c4f1254a74fa8a793d2b

SHA1 hash:

5400ff76e2f46ad026e501c0a90cce36fa43c631

Link:

https://www.unpac.me/results/9e7b8a79-9e0d-4fff-873d-f750283ae65e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.74

Link:

https://yomi.yoroi.company/submissions/3698d2855e9efa5979d94dad6e2044627134de86015421ebf548682400fe2163

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_TOOL_RTK_HiddenRootKit Create hunting rule
Author:	ditekSHen
Description:	Detects the Hidden public rootkit

Rule name:	Mimikatz_Strings Create hunting rule
Author:	Florian Roth
Description:	Detects Mimikatz strings
Reference:	not set

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	without_attachments Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any attachment
Reference:	http://laboratorio.blogs.hispasec.com/

Rule name:	without_urls Create hunting rule
Author:	Antonio Sanchez <asanchez@hispasec.com>
Description:	Rule to detect the no presence of any url
Reference:	http://laboratorio.blogs.hispasec.com/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165720/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample