MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Conti


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247
SHA3-384 hash: 0577a3f6ef12c8799728c907fab7c00b633afa2e8da867ee3d59725bf3aa60a2b64875938434670838ec93d7ea25a0e1
SHA1 hash: 14013b448ba486d8daa0a77cbf512d51fea48462
MD5 hash: afa38b25a8cfac7a5b3b5f57678bf873
humanhash: bakerloo-aspen-enemy-happy
File name:1dfs1dfs.exe
Download: download sample
Signature Conti
Create hunting rule
File size:743'584 bytes
First seen:2021-02-09 16:55:42 UTC
Last seen:2021-02-09 19:03:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 026cf4546ef25ed562257a6f87c8e6cf (11 x Conti, 5 x BazaLoader, 1 x TrickBot)
ssdeep 12288:JajFDORvsri3361XTxdd8q815j+eiyESoe3lMjDw4yr0ayxeGMi0ofR:UjFDORvv33uXTxdd8q815j+eiyESoe3c
Threatray 9 similar samples on MalwareBazaar
TLSH 5AF48C23AA11B438F3B640F55AFAA47FA819587153091AF338E7A064F1603E57FF5C62
Reporter James_inthe_box
Tags:conti exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1dfs1dfs.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 16:58:49 UTC
Tags:
trojan trickbot loader
Link:
https://app.any.run/tasks/7378294a-d0d2-412b-9896-e1d5a4574035

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116225/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36319031.290.32538.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/603359
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 350690 Sample: 1dfs1dfs.exe Startdate: 09/02/2021 Architecture: WINDOWS Score: 80 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Multi AV Scanner detection for submitted file 2->28 30 Machine Learning detection for sample 2->30 7 1dfs1dfs.exe 2->7         started        10 1dfs1dfs.exe 2->10         started        process3 signatures4 32 Detected unpacking (changes PE section rights) 7->32 34 Detected unpacking (overwrites its own PE header) 7->34 36 Injects a PE file into a foreign processes 7->36 12 1dfs1dfs.exe 15 7->12         started        15 1dfs1dfs.exe 10->15         started        process5 dnsIp6 24 34.210.71.206, 443, 49723, 49727 AMAZON-02US United States 12->24 17 WerFault.exe 23 9 12->17         started        20 cmd.exe 12->20         started        process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->22 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247/
Threat name:
Win32.Trojan.Racealer
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 07:11:33 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hjxi6wrcn3oaa3rj4oger2vhehas4sevhk6vnxf4tmsbs5ldcjdq._file
Verdict:
malicious
Similar samples:
1f9285b8391683d7ca32a5cbcea8392d6e0643e21ffefd4bc87ad041bc30916c
Conti
40f84567acadf100bcba7cbe74cb927eb2ec8cc3203c7663a5c05a655fa469a6
Conti
6746b12200fed6aeb1764594c84ecd3485e74114325c150ba41d12c555b182eb
Conti
7bc9d1453bb84033fd82500f10db64cbf221c4286ed3eba7928249dae6d67675
Conti
9a3467911eaf0122aade59ef8636d005f251ef1e6fb23295bdac92376ae0fb82
Conti
cb0373b35abf4b089be60e714ee415d3491ddc2cffcfb45b84a87a3a106c822f
Conti
cb76c19c178a71a5115ee308b51de416255de06d4e8226fdda8e59275a519c14
Conti
dc0715adb07b65af47d660aa7582f9ecdfc770606f1a852fe1aa7a643bba7543
Conti
e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e
Conti
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210209-jvsc41rqxs/
Behaviour
Discovers systems in the same network
Gathers system information
Modifies registry key
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
BazarBackdoor
Unpacked files
SH256 hash:
793cd94427ec5b5d2d206c1b41cb55a7150c83f12cf86a165b2094bff58ec735
MD5 hash:
ae2fba237175aee3e525d29a0670a0d1
SHA1 hash:
165a9bd22f78066748194ee69935f77cefa232d6
Link:
https://www.unpac.me/results/3ba50b60-12c7-442c-a887-7ed9f7f665d6/
SH256 hash:
3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247
MD5 hash:
afa38b25a8cfac7a5b3b5f57678bf873
SHA1 hash:
14013b448ba486d8daa0a77cbf512d51fea48462
Link:
https://www.unpac.me/results/3ba50b60-12c7-442c-a887-7ed9f7f665d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Conti
Create hunting rule
Author:kevoreilly
Description:Conti Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/116225/

Comments