MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43a09bd38b5f0b0aaaee703e415ba41cb3274a692b191a7bba3a895d1e3cc4e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	43a09bd38b5f0b0aaaee703e415ba41cb3274a692b191a7bba3a895d1e3cc4e4
SHA3-384 hash:	46d9f123d5889105d9bca5a637cdb72b93b4a57642f23b34f97105e50cdf8a63f4a477892d208cec02ee7aba23251ae9
SHA1 hash:	2296993e147a5b50c6813a84ba79aa69299adebe
MD5 hash:	a3c6f1c383488bc8e2d0e65dbca2d0e8
humanhash:	low-oscar-two-green
File name:	WhatAmI.exe
Download:	download sample
File size:	4'830'454 bytes
First seen:	2021-06-10 15:33:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4df47bd79d7fe79953651a03293f0e8f (4 x Mimikatz, 3 x Beapy, 1 x Quakbot)
ssdeep	98304:aiMuKXmTjJ5q9Jt4gy9ImjXE3cPtEBO7oV6gqcNtvIBsd3yL7t9:9hK4J5q9D4ImjXEMGBO7oLqcNtv9ZQt9
Threatray	20 similar samples on MalwareBazaar
TLSH	4026333571C1C0B2F937A53C08FAE776683D2A106B35516B03E51E663F125E63A3AE9C
Reporter	Anonymous
Tags:	exe

Intelligence

File Origin

# of uploads :

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

WhatAmI.exe

Verdict:

Malicious activity

Analysis date:

2021-05-14 15:56:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2ab1e920-9fb7-4fa3-80ab-7d9fd95da5b8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/165906/

Detection(s):

SecuriteInfo.com.Heur.Veil.6.11070.10230.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Deleting a recently created file

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

29 / 100

Link:

https://www.joesandbox.com/analysis/716893

Signature

Machine Learning detection for sample

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43a09bd38b5f0b0aaaee703e415ba41cb3274a692b191a7bba3a895d1e3cc4e4/

Verdict:

malicious

289fd8d06a0809ace139201a7bd5896eecc684f0887e791f307e47bbfa5698e4

2c9a56116d34514c98f71a77cd80ab3b32d6523b2d7aa9b89b6e4f5c1cd8a8df

54446099158a525a638b624d85af6d3530970e9050a8b34d4130d1fbbad2dba3

611b8e22e90f2df191ab7e5522620c5350faf06d70b329647e044ce80d575e44

9165bc75e1a727c886b97c5dd3bdc42ed33d22f2895e8a830b94bd27fdeec2eb

95e35f1614df92a318a749a8f62a35b9c03f2f34f08ad5606b45c9d817ff1d93

a4e1a5b0197b59eb99538327584f8294e81259fd704c281469ec6b7ab7a2c046

bf2e8f662f7cff27920ca7c9b27277d1bdf67b58d727d6274e5c32e95d53a715

e92b19cb2f281114eb2db737edd370bcf7d5ea35e84f07976d8d680abdb7d654

+ 10 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

pyinstaller

Link:

https://tria.ge/reports/210610-g4a74dfh26/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Loads dropped DLL

Unpacked files

SH256 hash:

dd87a5b28a71fdcef1be7dfeda07416611ce245e2cbcb43849a9219c96958a88

MD5 hash:

59c397aeb65d1cafc473e7da16a1b0e8

SHA1 hash:

29a54e56348eb4c9c39ed935b76951f53d88a5d3

Link:

https://www.unpac.me/results/3a836592-4d13-42e1-890b-5a336c20adb6/

SH256 hash:

10b3583a7daa12bfbe8a0e58702a68010ea71b397858704f7b9bf486e710dcf5

MD5 hash:

f1085b54cef2b871d788ddb5c2730b32

SHA1 hash:

fd8915162771d57c58384c694d52d14e4da01c1c

Link:

https://www.unpac.me/results/3a836592-4d13-42e1-890b-5a336c20adb6/

SH256 hash:

97bdbcbf09f425f93cf8dc0cc570a886100cce7c87a6e4f784351f16243ddb1c

MD5 hash:

d28972678b768916f24d55f3d4c20250

SHA1 hash:

f8f9d7b275adbb11865cac2477143ee58a3c9a6e

Link:

https://www.unpac.me/results/3a836592-4d13-42e1-890b-5a336c20adb6/

SH256 hash:

fff808e9b7cbbd8aae3233b5b456d87e6f21d02aee452a7f97d8b0c054e8c37e

MD5 hash:

1542e23808cc8ec4001e9b16e9220e4e

SHA1 hash:

a2a6ca1ee63288f539262e18634871f3db6b10e8

Link:

https://www.unpac.me/results/3a836592-4d13-42e1-890b-5a336c20adb6/

SH256 hash:

43a09bd38b5f0b0aaaee703e415ba41cb3274a692b191a7bba3a895d1e3cc4e4

MD5 hash:

a3c6f1c383488bc8e2d0e65dbca2d0e8

SHA1 hash:

2296993e147a5b50c6813a84ba79aa69299adebe

Link:

https://www.unpac.me/results/3a836592-4d13-42e1-890b-5a336c20adb6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43a09bd38b5f0b0aaaee703e415ba41cb3274a692b191a7bba3a895d1e3cc4e4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_File_pyinstaller Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)
Description:	Detect PE file produced by pyinstaller
Reference:	https://isc.sans.edu/diary/21057

Rule name:	PyInstaller Create hunting rule
Author:	@bartblaze
Description:	Identifies executable converted using PyInstaller.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165906/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample