MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d031ccd29e2ee2a59b640b2644b68121351917397bd6a9a0fd31b359e1c73bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA 6 File information Comments

SHA256 hash:	3d031ccd29e2ee2a59b640b2644b68121351917397bd6a9a0fd31b359e1c73bd
SHA3-384 hash:	ac5d4386d58207a6068d9ba9868a115f5dcc8df4fb8076906c8ff7ab8451d08053de60e34a2efc7d7f8d5480e4fffb09
SHA1 hash:	7644b547f8fe1443f0f94ff171cf743f43b4d4bc
MD5 hash:	6924bc6bc843e80b868a582fbf98726d
humanhash:	timing-fix-lion-sad
File name:	6924bc6bc843e80b868a582fbf98726d
Download:	download sample
File size:	1'176'025 bytes
First seen:	2020-11-17 12:46:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:INQXjG+1g/UNx+pcp63WARPuz3PU1fZXpY5nFdFY5xcrHekrMx:QcG+iMNEY6zs3PU1RX25nFdFY5xc7Ux
Threatray	2 similar samples on MalwareBazaar
TLSH	FF45238712D9BADCF038767073B653CBCA698D218302F12E56D9763B917C88B36467E4
Reporter	seifreed

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Reading critical registry keys

Setting a keyboard event handler

Enabling the 'hidden' option for analyzed file

Creating a file in the %AppData% subdirectories

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Enabling the 'hidden' option for recently created files

Deleting a recently created file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3d031ccd29e2ee2a59b640b2644b68121351917397bd6a9a0fd31b359e1c73bd/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-11-07 02:06:28 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

e24f69aa8738d14b85ad76a1783d51120b8b6ba467190fe7d8f96ad2969c8fdf

Result

Malware family:

n/a

Score:

8/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/201117-ketav6kxcs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Executes dropped EXE

Unpacked files

SH256 hash:

3d031ccd29e2ee2a59b640b2644b68121351917397bd6a9a0fd31b359e1c73bd

MD5 hash:

6924bc6bc843e80b868a582fbf98726d

SHA1 hash:

7644b547f8fe1443f0f94ff171cf743f43b4d4bc

Link:

https://www.unpac.me/results/07588f58-3e61-4ae1-ba69-2ccf0256fda4/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackWorm Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify BlackWorm

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	Chrome_stealer_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	Chrome in files like avemaria

Rule name:	EnigmaStub Create hunting rule
Author:	@bartblaze
Description:	Identifies Enigma packer stub.

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	SUSP_XORed_URL_in_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an XORed URL in an executable
Reference:	https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample