MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d
SHA3-384 hash:	9dba840e982afc05865b4fb760962754aa7bfe04da5f5c65b517e4a8a6dcbe0840fcdc4460425c73329bb19cf515c61c
SHA1 hash:	4f3efab52ba7eca556303f6ce3c4dcbe8d8b377a
MD5 hash:	d9f37d3e7105f0b3ddd0dd3b473f5611
humanhash:	undress-pip-batman-five
File name:	football.bin
Download:	download sample
File size:	12'558'904 bytes
First seen:	2022-06-15 14:23:28 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5bd3497bfd913b30bbdb13331f9ba919
ssdeep	196608:HmxjuqAMuHtZeIfpYxdFKipaHNVPrhk9VLsI2/0O9Be+3RUTfU/OQa8sYGuWYdrT:HmNAMuNZLMd0ipaHN1yMI2/nelLXMlGe
Threatray	1'879 similar samples on MalwareBazaar
TLSH	T133C6331CA7523D995E6C6FB0F34B8E99F64BDA3D4904D036FAF44C8E89E4B834424396
TrID	54.2% (.EXE) UPX compressed Win64 Executable (70117/5/12) 20.9% (.EXE) UPX compressed Win32 Executable (27066/9/6) 12.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 3.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 3.4% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	JAMESWT_WT
Tags:	exe filecoder Python Ransomware

Intelligence

File Origin

# of uploads :

# of downloads :

573

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

comme_par_magie.pdf.exe

Verdict:

Malicious activity

Analysis date:

2022-06-15 14:16:43 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/a34b4c14-a7b2-47a3-8d74-9c9a2e85a2a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/280207/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a process from a recently created file

Running batch commands

Creating a process with a hidden window

DNS request

Sending a custom TCP request

Creating a file

Creating a window

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/21400/overview

Behaviour

MalwareBazaar

GetTempPath

Verdict:

Suspicious

Threat level:

5/10

Confidence:

67%

Tags:

anti-debug overlay packed python shell32.dll

Link:

https://www.filescan.io/uploads/62a9eb855c08d80e8ed5923f/reports/ad3a5f8e-0c52-45c8-852c-818b53c5c2ce/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/0608d27c-bb85-4577-b5b5-bd1232bd2e96

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/1013758

Signature

DLL side loading technique detected

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d/

Threat name:

Win64.Trojan.Tedy

Status:

Malicious

First seen:

2022-06-12 19:53:54 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

10 of 41 (24.39%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ieiewc6kqpmgmhtllvcse5355kxxnvjef2lzmfin4dqrufqcfbwq._file

Verdict:

unknown

1f871dd7afffac397882b6044e966aef944fdd2acd1b4a351f0ffe70bb236499

26a4c5b36d9fde80ea47137eb53b40dacf240432a5895f98417eae51b6b681da

4e7105da7face5917f66842ba73810d29826cb971140f9da2b0efb7a37de3c0e

5879d39a0bab80032ebc751728e034cf7ec7fb30749090b5df8c37100034ef95

73e926ed57eae4d7da49906fc5a8a0cc9507c5e3481e1146be98aaa1514773fc

8eeb37060519ca06889e09113bb423bfbe8c2e16c93fa5b75d82397f8cf58012

adf8e5128003e712d0e1e7d0b3833864971711c03c8099bfcf369ab6764d5415

babf526ebe596643961a64b67dea3846f45355f4852f560046f06b633141b2a3

cf68ac02858c0053067b47b24338b564aeb92f25310765a2bad8928174285a62

+ 1'869 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/220615-rqptcaafgr/

Behaviour

Suspicious use of WriteProcessMemory

Program crash

Looks up external IP address via web service

Loads dropped DLL

Executes dropped EXE

UPX packed file

Unpacked files

SH256 hash:

ad565624913e81a27e3e64b6350fd9d90a19af85f26e90f3b3d291cd61935001

MD5 hash:

1191a5eeb37c5b07772721d5acbceb5d

SHA1 hash:

120c2b47a782aca932862e98af89349650e4661f

Link:

https://www.unpac.me/results/e7bd01c2-2203-4ed0-be7a-ee3b999d2957/

SH256 hash:

41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d

MD5 hash:

d9f37d3e7105f0b3ddd0dd3b473f5611

SHA1 hash:

4f3efab52ba7eca556303f6ce3c4dcbe8d8b377a

Link:

https://www.unpac.me/results/e7bd01c2-2203-4ed0-be7a-ee3b999d2957/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.18

Link:

https://yomi.yoroi.company/submissions/41104b0bca83d8661e6b5d4522777deaaf76d5242e9796150de0e11a1602286d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	exploit_any_poppopret Create hunting rule
Author:	Jeff White [karttoon@gmail.com] @noottrak
Description:	Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/280207/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample