MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3701e89a871bcd41d4acd221aa855fad14f9fbafbc21da9695b5084951e561c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



RaspberryRobin


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash: 3701e89a871bcd41d4acd221aa855fad14f9fbafbc21da9695b5084951e561c7
SHA3-384 hash: fa89728620e1e8e34a4449f79eb9ac5f8601230a7559722381553ccbceb0456a65c5b42537acc18d99f69ddbd3d00356
SHA1 hash: 2da77c7d531ed6cc84c946b94b0892caa4a8e6a7
MD5 hash: bb1d1ccb1b6a37a19bb5cbbcb18ec382
humanhash: glucose-green-item-kitten
File name:keygen-step-2.cpl
Download: download sample
Signature RaspberryRobin
File size:1'875'968 bytes
First seen:2024-08-26 17:36:48 UTC
Last seen:2024-08-26 18:32:00 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash 9d5323b4a1da3aca909765905da6172e (1 x RaspberryRobin)
ssdeep 49152:mRkHV0tF2wH2Z7ryv0kYHm3gnAXKiKqRMP:ikCF2a2Z6v0a3gnAX1Kqa
Threatray 1 similar samples on MalwareBazaar
TLSH T15B95BEDEE0DC912CEB2D46F904AC3FE68A6C6320E2596D37F65E10AA594454E33DC43E
TrID 51.4% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
15.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
14.0% (.EXE) Win32 Executable (generic) (4504/4/1)
6.3% (.EXE) OS/2 Executable (generic) (2029/13)
6.2% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:cpl KeygenGuru RaspberryRobin

Intelligence


File Origin
# of uploads :
2
# of downloads :
100
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Tags:
Fauppod
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fauppod lolbin masquerade microsoft_visual_cc packed shell32
Threat name:
Win32.Trojan.Zenpak
Status:
Malicious
First seen:
2024-08-26 17:37:05 UTC
File Type:
PE (Dll)
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Unpacked files
SH256 hash:
3701e89a871bcd41d4acd221aa855fad14f9fbafbc21da9695b5084951e561c7
MD5 hash:
bb1d1ccb1b6a37a19bb5cbbcb18ec382
SHA1 hash:
2da77c7d531ed6cc84c946b94b0892caa4a8e6a7
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Rule name:meth_stackstrings
Author:Willi Ballenthin

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaspberryRobin

DLL dll 3701e89a871bcd41d4acd221aa855fad14f9fbafbc21da9695b5084951e561c7

(this sample)

  
Delivery method
Other

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play MultimediaAVIFIL32.dll::AVIFileExit
MSVFW32.dll::DrawDibGetPalette
RAS_APIUses Remote AccessRASAPI32.dll::RasGetEapUserDataW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW

Comments