MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
SHA3-384 hash: 1db0c66a225aa129291bef3d0650e2df026db813e5416a58d51aa11f0581efe47c61dfa8fdd9fca87dc7e7877e1785bb
SHA1 hash: 52221329cb3a1c8485c1062af3175a38bc738926
MD5 hash: 0d956dcb4a19f1bb4825392a0c654ad9
humanhash: oranges-foxtrot-tango-indigo
File name:0d956dcb4a19f1bb4825392a0c654ad9.exe
Download: download sample
File size:409'600 bytes
First seen:2021-08-24 11:46:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 19d4e66d725c89ba6712b82bebc8196d (5 x Gh0stRAT, 2 x PurpleFox, 1 x YoungLotus)
ssdeep 6144:2SuxNOug5MI3KBau3EO8iZrEXA2czL6mWzdoZtAznpGuGEwJvfJ0s9VC:3ux9g5F6U2WOWczLygAzN6fJE
Threatray 46 similar samples on MalwareBazaar
TLSH T13C9412A23BC70655C34CB6B1CCA48B28039DD3E41E6D900FBE306959FD652ED9D3AE46
dhash icon f0f4e8cccce8d4f0 (8 x Gh0stRAT, 1 x Nitol, 1 x MimiKatz)
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0d956dcb4a19f1bb4825392a0c654ad9.exe
Verdict:
No threats detected
Analysis date:
2021-08-24 12:11:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/66947e5f-19a6-4266-b015-d1d5a0cec0c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181879/
Detection(s):
Win.Keylogger.Deepscan-7603977-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the Windows subdirectories
Creating a service
Launching a service
Creating a process from a recently created file
Creating a file in the drivers directory
Creating a window
Loading a system driver
Connection attempt
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching a process
Creating a file
Sending a UDP request
Enabling autorun for a service
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3391fbf1-5c43-4198-bc3d-7617d842ffd3
Result
Threat name:
Mimikatz
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/838222
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Mimikatz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 470660 Sample: 6soed9jVSV.exe Startdate: 24/08/2021 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 4 other signatures 2->48 7 Umeum.exe 2->7         started        10 6soed9jVSV.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 file4 56 Antivirus detection for dropped file 7->56 58 Multi AV Scanner detection for dropped file 7->58 60 Machine Learning detection for dropped file 7->60 62 Drops executables to the windows directory (C:\Windows) and starts them 7->62 17 Umeum.exe 14 1 7->17         started        34 C:\Windows\SysWOW64\Umeum.exe, PE32 10->34 dropped 36 C:\Windows\...\Umeum.exe:Zone.Identifier, ASCII 10->36 dropped 22 cmd.exe 1 10->22         started        64 Changes security center settings (notifications, updates, antivirus, firewall) 13->64 24 MpCmdRun.exe 1 13->24         started        signatures5 process6 dnsIp7 38 58.218.67.253, 49713, 8080 CHINANET-JIANGSU-CHANGZHOU-IDCChinaNetJiangsuChangzhouID China 17->38 32 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->32 dropped 50 Sample is not signed and drops a device driver 17->50 40 127.0.0.1 unknown unknown 22->40 52 Uses ping.exe to sleep 22->52 54 Uses ping.exe to check the status of other devices and networks 22->54 26 conhost.exe 22->26         started        28 PING.EXE 1 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84/
Threat name:
Win32.Backdoor.Farfli
Create hunting rule
Status:
Malicious
First seen:
2021-08-24 11:47:12 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0367ec4f514399dfae2b74ed8b9303f1f47e527d5bc7bd7cb900710937add0a4
161a1eb003a6ee20d635879514a3be9feb2f2d126214a7bbeb8e93daa11e4a49
4bb4435958fa48762b34905fc5ac50c78878eccb33252f72cb037d664cb60fc9
8eb11e49eff426eba9d7fa1172c03744a35eb18a806660ec3f1eb3b107a26905
a4053c9427fa00b62f65abf8ad7760e39df7f7ea0c72ed89375e2076f7cb79a3
a578e71d04eae80004ab431497c95fb9779a95dc7f0c60996c24c1cb7139745d
ba7dd90bf8bd6a1dc665c8860c09489ea5531d739e55be0321bd85478b03c95f
c3304ec52968793ae709cf7c7caad6acae0bded8088f06cefbee55bde0a9224f
c96fb748304f35220cae69a622318ee3e425802dea7387549af4add7ba449b7e
d19b02a35003c637360cc342d5fcdae87dc7336fc7925f07f5c0636eae22ba37
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210824-sp46chbcw6/
Behaviour
Checks processor information in registry
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Enumerates connected drives
Deletes itself
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Sets service image path in registry
UPX packed file
Unpacked files
SH256 hash:
b02ecd10942f04770c4649d8b690c8dc5c6c5fa49404b2dfa387c6fac49498ec
MD5 hash:
c07785cb94c8dd84e10e5c4c2b78cdfc
SHA1 hash:
be5c9247801051e8d687a85035b9a64af88742b4
Link:
https://www.unpac.me/results/eac7eb61-fd28-4254-a574-94916f876066/
SH256 hash:
38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84
MD5 hash:
0d956dcb4a19f1bb4825392a0c654ad9
SHA1 hash:
52221329cb3a1c8485c1062af3175a38bc738926
Link:
https://www.unpac.me/results/eac7eb61-fd28-4254-a574-94916f876066/
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/38f32d4407d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farfli
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 38f32d4407d8fd264c2f5585340fb472325e066d335bcb7de398c4e033c04c84

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1024488/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/181879/

Comments