MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Allaple

Vendor detections: 16

Intelligence 16 IOCs YARA 2 File information Comments

SHA256 hash:	378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62
SHA3-384 hash:	f5d3a8e8fc158e9a32e4c97cc9a7a53cd9a30a46f8ce1da2f838e11ff34d66b495672df003d01528017651bc4d3b903a
SHA1 hash:	c951f9b852a6ee975f5e66ce6d9b3671fbffd989
MD5 hash:	4a877b33da7992ee741897eb26ce07f1
humanhash:	cup-five-magnesium-lithium
File name:	378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62
Download:	download sample
Signature	Allaple Create hunting rule
File size:	209'610 bytes
First seen:	2024-10-25 18:03:53 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	be4dffb3bd263b236b578907d68239c6 (1 x Allaple)
ssdeep	6144:Sapf3t9bio6l0LFpOA+dQ41MEL9888889ygxQQonEem2SX8:Sapf3ni1lJA+dQ4XL98888815o/Ss
Threatray	8 similar samples on MalwareBazaar
TLSH	T112249DCE9A94DCC3F997293A054471FBF274415936F9A055BEF04AECE0A0F9242B82DD
TrID	28.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 25.5% (.EXE) Win32 Executable (generic) (4504/4/1) 11.6% (.ICL) Windows Icons Library (generic) (2059/9) 11.5% (.EXE) OS/2 Executable (generic) (2029/13) 11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	JAMESWT_WT
Tags:	217-195-153-196 allaple exe TMBackdoor

Intelligence

File Origin

# of uploads :

# of downloads :

515

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62

Verdict:

Malicious activity

Analysis date:

2024-10-25 18:05:53 UTC

Tags:

scan smbscan icmp

Link:

https://app.any.run/tasks/df7b14f6-308b-48d6-a973-ad9619615b84

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Worm.Allaple-171

Win.Worm.Allaple-5

Win.Trojan.Virut-388

Win.Worm.Allaple-6171102-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=671bdd96a75e41aa67216921

Tags:

Allaple Exploit Dropper Overt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Connection attempt

Changing a file

Creating a file in the Program Files subdirectories

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

overlay packed packed packer_detected

Link:

https://www.filescan.io/uploads/671bdd9be24e48f1e67b6b25/reports/1db20dd7-340c-4feb-a339-23b17fb2c62e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Allaple

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5d07e10a-65db-42f6-9fe8-188898aa2c49

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1542346

Signature

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations

Suricata IDS alerts for network traffic

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62/

Threat name:

Win32.Worm.RaHack

Status:

Malicious

First seen:

2023-04-22 10:46:24 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

37 of 38 (97.37%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g6aftmtwa3vorn4nb26nrt2gt3hghkhdmrm6xmdaoonmhpntlvra._file

Verdict:

malicious

Label(s):

allaple

Allaple

4fc053d321a623653ee61b803b3d10d0b102da59325106851aa0d48539c36476

Allaple

824a5d1fc6ac6050922b1d6a62930d7e6c487b667a83412815e31980f9cfdaba

Allaple

8cbc4de8053a106655e954a82d40ed1f456882f69cc6dfb13ed41e27a637375b

Allaple

a4e3a51d3bafd44bad049bbe1c4ce7e3e8e2952b9c1700c11ec2d97e7fb52a31

Allaple

b82b7a6c942551964c3bd0b159dc4af1fb7deb945476183279092328228bd7a9

Allaple

e6a8f27d09c850978b635d02a99758fe27e2accbe11eeab7588f90726fc89e74

Allaple

error

Allaple

f410f4430cdbd2220b72377003a1b3ab168fd3a68a589193541e4a67bc9f834c

Allaple

Result

Malware family:

n/a

Score:

4/10

Tags:

discovery

Link:

https://tria.ge/reports/241025-wnkttszpgs/

Behaviour

Modifies registry class

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Drops file in Program Files directory

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/d079dc91-9ea6-4e0e-9e11-9acd9da25699

Unpacked files

SH256 hash:

31a4de81da58d4f0f2f2299c073eca058b7bd8d514bb8e43fdaa4949ca587c23

MD5 hash:

49e5125f7c5c710b213e2de422eda8b6

SHA1 hash:

60d4857280f272fe5dc507b4acfb505a2efeed2d

Detections:

Allaple

win_allaple_auto

Link:

https://www.unpac.me/results/8cf47110-1362-4173-a189-4148a8834e45/

Parent samples :

a4e3a51d3bafd44bad049bbe1c4ce7e3e8e2952b9c1700c11ec2d97e7fb52a31
2bdb30d02bc3a9894a3ee6ff89ecd7ed6d8937e88ccc8c85f5618e7cae931f50
8cbc4de8053a106655e954a82d40ed1f456882f69cc6dfb13ed41e27a637375b
824a5d1fc6ac6050922b1d6a62930d7e6c487b667a83412815e31980f9cfdaba
e6a8f27d09c850978b635d02a99758fe27e2accbe11eeab7588f90726fc89e74
4fc053d321a623653ee61b803b3d10d0b102da59325106851aa0d48539c36476
378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62
b8a3d6fb9df78b366b1f4028346e0bedf9ecefad4e6108966ba9a8ede0e11ae7
75e150c19f29423a5c58cf0e85df991020eb6ee0ea45539da74372694c03ce82

SH256 hash:

d9641ca6237d6cd62cb9e313a758bc5197ea7c5f6cbcea6b11ae1a12fa7dda4d

MD5 hash:

ab678a987ced731140a15d925983b349

SHA1 hash:

477816fbc454e08014956ea25a964d4daad0f92f

Link:

https://www.unpac.me/results/8cf47110-1362-4173-a189-4148a8834e45/

SH256 hash:

4c8fbcbc69051bb934e843495e419d3fd9383fc953fef0b8e77d016522531944

MD5 hash:

b69d7427a0da7bf1ff6130b45d9a29b3

SHA1 hash:

8d3846216b222e58a86e868b142fe24b5aca6dd1

Link:

https://www.unpac.me/results/8cf47110-1362-4173-a189-4148a8834e45/

SH256 hash:

378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62

MD5 hash:

4a877b33da7992ee741897eb26ce07f1

SHA1 hash:

c951f9b852a6ee975f5e66ce6d9b3671fbffd989

Link:

https://www.unpac.me/results/8cf47110-1362-4173-a189-4148a8834e45/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/378059b27606eae8b78d0ebcd8cf469ece63a8e36459ebb060739ac3bdb35d62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::ReadConsoleOutputCharacterA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::GetVolumePathNamesForVolumeNameA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample