MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e0ab639b2f098bbab1d45dc08be2b5b1583c8338c5fa636e5c8b67dfb38fb14. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Merlin


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e0ab639b2f098bbab1d45dc08be2b5b1583c8338c5fa636e5c8b67dfb38fb14
SHA3-384 hash: 006103e50d5a5ba4277658eb5267f2dc29b527f8b948efd95a12f28ae7ab66aa91a3a4861b3020fdb53f0c19a3ea978a
SHA1 hash: 9beeab918bdb72e8e0bfd4d354f14e1bb0b3d89a
MD5 hash: 1d5ff55d398ef7168a8585aa077e4e1e
humanhash: ten-utah-cup-skylark
File name:3e0ab639b2f098bbab1d45dc08be2b5b1583c8338c5fa636e5c8b67dfb38fb14
Download: download sample
Signature Merlin
Create hunting rule
File size:7'149'024 bytes
First seen:2022-07-02 09:14:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (62 x LummaStealer, 51 x Vidar, 49 x AuroraStealer)
ssdeep 98304:73w3azD+VpaEQBJeSiFI9JCpjn9mvz8usRpyGl2:zZDi4nsI929m78D6+2
Threatray 197 similar samples on MalwareBazaar
TLSH T134767B43F88490A9C6E9D130CA76D292BA317C840B3137D32B55B7BA2B77BD49E79350
gimphash 8c4cac1a6a0345fa97068f169b675716495dcf5e98b314e6d2c04881c84ba0be
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter cyb3rops
Tags:exe Merlin signed

Code Signing Certificate

Organisation:Exivity B.V.
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-10-18T00:00:00Z
Valid to:2022-10-18T23:59:59Z
Serial number: b68216b9b5929bf8d4a2d5ebcce78c1b
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 635a2ce0ae29ab85c7dc63193f7458f6afd83b3ef3e246e0433d1f3b7a7e3922
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/285065/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/23421/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
golang overlay packed
Link:
https://www.filescan.io/uploads/62c00cd795a8514e29903e8d/reports/7225832e-9aab-4b5c-90be-7b5f3099e725/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/42ac3ed5-6a83-4f7f-939d-1132cb4ef688
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
2 / 100
Link:
https://www.joesandbox.com/analysis/1023489
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e0ab639b2f098bbab1d45dc08be2b5b1583c8338c5fa636e5c8b67dfb38fb14/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hyflmons6cmlxky5ixoarprllmkyhsbtrrp2mnxfzc3h36zy7mka._file
Verdict:
unknown
Similar samples:
01ee0c19a2e2e2f8239cd2b768256f4c271dce9d95d1c40976df8f96f8075630
Merlin
0787ae2c43d3a8d3f69ab3d69692f789e0b4fa27b276e072ca44a82074477e34
Merlin
356ed801fd17886006472a332bba1126976a4a14dbf378d59a01904fcea64b18
Merlin
9148bcf1957c9dc89339b577fc122c8d947cafc09b275c95361dc6b4150eeaa1
Merlin
a945fd22e8f7272ce950721138fedb657dcfdd8447620a840c17688e3f9e0561
Merlin
ca4f64a4b97c079e3835b30d39b8d0ed3dec2994f98e11c3aeb6b3130a00903b
Merlin
+ 187 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220702-k7wjwsgbc8/
Unpacked files
SH256 hash:
3e0ab639b2f098bbab1d45dc08be2b5b1583c8338c5fa636e5c8b67dfb38fb14
MD5 hash:
1d5ff55d398ef7168a8585aa077e4e1e
SHA1 hash:
9beeab918bdb72e8e0bfd4d354f14e1bb0b3d89a
Detections:
win_hive_auto
Create hunting rule
Link:
https://www.unpac.me/results/d28d21b1-8e3a-41f1-a8e1-b0fecde01301/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:methodology_golang_build_strings
Create hunting rule
Author:smiller
Description:Looks for PEs with a Golang build ID
Rule name:win_hive_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.hive.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://github.com/Ne0nd0g/merlin-agent
Cape
Cape
https://www.capesandbox.com/analysis/285065/

Comments