MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2
SHA3-384 hash:	1404a6350a06246cb6381d209487c1a57af36d7006f4040a73a6cfefec6032d2ff7314eaa73846dedd794556c79fc141
SHA1 hash:	5e42386540acbb0949b78d5c0e37e0a186ddc18a
MD5 hash:	ca0eaca077aa67f2609f612cefe7f1f3
humanhash:	ceiling-hotel-twelve-michigan
File name:	iec56w4ibovnb4wc.onion_Library__OlympicDestroyer__OlympicsSouthKorea.bin.malw
Download:	download sample
File size:	1'863'680 bytes
First seen:	2020-03-18 22:33:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fd7200dcd5c0d9d4d277a26d951210aa
ssdeep	49152:aIuQjMQjzus3wLNlDXjUoXFhKoT2iG6xQQqOeaGcWRrLy3pN+:a1bQjyQwhlDFEi5Qt7aGdRrLy5N
Threatray	21 similar samples on MalwareBazaar
TLSH	C4852396B9C180B2E4E344749CF8DA754CAC7A300B212ADFB7E0573D5E261D06736EA7
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.OlympicDestroyer-6446992-0

Gathering data

Threat name:

Win32.Trojan.Olympicdestroyer

Status:

Malicious

First seen:

2018-02-10 04:37:38 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

44 of 48 (91.67%)

Threat level:

5/5

Verdict:

malicious

3afe4dd1466eb99bc7ab905a2363173dc043f9060982c49b6f5da73293f7d6ed

65c86813da2eb5bfc495e538fa4e77f8c3a3c03418e655ac8262bc0aa42281ba

693626ad4ce750ecb027980dfb505ca69872923702dfe564e0adcb651e8c60d9

c6d5e1fdae2634a3a2a29a8c5de69f725ebceefba86d3700bc922aac7f55a1f7

cb663a4fa79cb0fcb52c3049b65b1a012c45e72badc13c931fc2c72a8a94dcca

e392bcf79759484012a84eb240198d63c45af3480eff1e28aed7cc102069b63a

e971ff222148de51a5cb8aa8648b76b727179bd39bd2e01b5824c9e752fcf147

eecf5fa7aabf91128e8b3d5a6b6541ccc4e379c18cfe1d35f2473740a192e8d1

eee468bff615adfd8c7b6afc3dc8d064e5076e6175e7d28e233983e08a0a4426

+ 11 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Unknown

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::ConvertSidToStringSidW ADVAPI32.dll::CopySid ADVAPI32.dll::GetLengthSid ADVAPI32.dll::IsValidSid
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateRemoteThread KERNEL32.dll::CreateProcessW KERNEL32.dll::CreateProcessA ADVAPI32.dll::OpenProcessToken KERNEL32.dll::VirtualAllocEx KERNEL32.dll::WriteProcessMemory
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileA KERNEL32.dll::DeleteFileW KERNEL32.dll::GetWindowsDirectoryW KERNEL32.dll::GetFileAttributesA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameA ADVAPI32.dll::LogonUserA ADVAPI32.dll::LookupAccountSidW ADVAPI32.dll::LookupPrivilegeNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRED_API	Can Manipute Windows Credentials	credui.dll::CredUIParseUserNameW
WIN_CRYPT_API	Uses Windows Crypt API	ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptGenRandom
WIN_SOCK_API	Uses Network to send and receive data	WS2_32.dll::FreeAddrInfoW WS2_32.dll::GetAddrInfoW WS2_32.dll::getnameinfo

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample