MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Lazarus


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13
SHA3-384 hash: 534b83d811bc5bdc7b9ed2b86845b5b3ef21f577cf1e41827494893c3fb304860043af49b01382dfe8722dd6d71dbe6b
SHA1 hash: 0fed6ea55c44b613b0f51ca735770b6979eeb1f2
MD5 hash: 89ee912c6040c8bd71be58156c0910d0
humanhash: tennis-kentucky-triple-diet
File name:40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13
Download: download sample
Signature Lazarus
Create hunting rule
File size:676'352 bytes
First seen:2020-08-03 15:18:15 UTC
Last seen:2020-08-03 16:03:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a04a5645e25735ab6a06a56bb4d9338 (2 x Lazarus)
ssdeep 12288:XMjZjc6lNHF/EKiqGm6BJXYUY0xvdzkut7+jFEgoTwd6SR:XQZjc6jl/EPvm6BJXTjTc6S
Threatray 5 similar samples on MalwareBazaar
TLSH A7E43B3632E90068E0739678DAA34552EEB57E900739C6DF4190B2BB1F33DD16E7A721
Reporter JAMESWT_WT
Tags:Lazarus

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38024/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a system process
Deleting of the original file
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/408218
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ipconfig to lookup or modify the Windows network settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256350 Sample: rUWFYGXgXx Startdate: 03/08/2020 Architecture: WINDOWS Score: 84 58 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->58 60 Uses ipconfig to lookup or modify the Windows network settings 2->60 9 loaddll64.exe 1 2->9         started        process3 process4 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        signatures5 66 Writes to foreign memory regions 11->66 68 Allocates memory in foreign processes 11->68 70 Creates a thread in another existing process (thread injection) 11->70 72 Injects a PE file into a foreign processes 11->72 16 sihost.exe 11->16 injected 20 iexplore.exe 11 83 14->20         started        process6 dnsIp7 46 www.publishapp.co 193.34.167.242, 443, 49780 SNELNL Netherlands 16->46 54 Deletes itself after installation 16->54 56 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 16->56 22 systeminfo.exe 1 1 16->22         started        25 WMIC.exe 1 16->25         started        27 WMIC.exe 1 16->27         started        32 3 other processes 16->32 29 iexplore.exe 5 151 20->29         started        signatures8 process9 dnsIp10 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->64 34 conhost.exe 22->34         started        36 conhost.exe 25->36         started        38 conhost.exe 27->38         started        48 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49767, 49768 YAHOO-DEBDE United Kingdom 29->48 50 pagead.l.doubleclick.net 172.217.19.98, 443, 49753, 49754 GOOGLEUS United States 29->50 52 18 other IPs or domains 29->52 40 conhost.exe 32->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13/
Threat name:
Win64.Trojan.NukeSped
Create hunting rule
Status:
Malicious
First seen:
2020-08-01 06:17:15 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iatt2gflydlchilzq5tobu4i6l2gx6t22u24vvdatcssmi4c7ijq._file
Verdict:
unknown
Similar samples:
02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
Lazarus
04c46c55336ac40d567ef0aac98ff8424872b584ea169c1a098ced833dd9bab4
Lazarus
1da46e7b14e294362faa93eab9ee4dc1d388adef8422868654baa3d98353de6a
Lazarus
389518ac65595ad9138b5dd0185aae851d979d4705d74f191492f002e63438c5
Lazarus
85b6c167b50c8d9807c80990ce88cc3bf7e4b449b7d86b347090b33d1bc0030b
Lazarus
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200803-ldv11pt3yn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Akdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40273d18abc0d623a1798766e0d388f2f46bfa7ad535cad46098a5262382fa13

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/38024/

Comments