MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
SHA3-384 hash: f434e4af642c07b2365293aa56f49731d0074885e3bd54e956e7dde58c28eeba9d552554b97274d9dee01e46a7eb3c3f
SHA1 hash: 320d2ad61c673ec7a386ff4df1220d6cf7d5bd47
MD5 hash: 7854d9da27486d8a529fd49afdf30351
humanhash: seventeen-artist-william-five
File name:TRYRETFDGFHGDSF.png
Download: download sample
File size:18'375'424 bytes
First seen:2022-01-14 19:24:06 UTC
Last seen:2022-01-14 20:48:53 UTC
File type:DLL dll
MIME type:application/x-dosexec
imphash dee89a2beb15917abd8e92982f79e18c
ssdeep 393216:au3XhWpheFFYahUxaIjJrZIlIWM/XiMoHcP/PaXkFgeGThagMSq0:auHh7th2/jfiDqPEzrht
Threatray 45 similar samples on MalwareBazaar
TLSH T187073373BDAA1509D4FDB0F88A2ABDC531F62E15A2A1547694B5BAC230743C7DF0260F
File icon (PE):PE icon
dhash icon 69fcbaf8f8d8f869
Reporter johnk3r
Tags:banker dll

Intelligence

File Origin
# of uploads :
2
# of downloads :
157
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Spy.Casbaneiro.DG.20409.4797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/61e1cde1e997359713edfac0/reports/204b2ec1-a7c0-4210-850a-ef56e94bff8c/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/920924
Signature
Detected VMProtect packer
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Suspicious Call by Ordinal
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553402 Sample: TRYRETFDGFHGDSF.png Startdate: 14/01/2022 Architecture: WINDOWS Score: 88 34 Multi AV Scanner detection for submitted file 2->34 36 Detected VMProtect packer 2->36 38 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->38 40 Sigma detected: Suspicious Call by Ordinal 2->40 8 loaddll32.exe 4 2->8         started        process3 dnsIp4 32 192.168.2.1 unknown unknown 8->32 46 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->46 48 Obfuscated command line found 8->48 50 Very long command line found 8->50 52 3 other signatures 8->52 12 rundll32.exe 3 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 3 8->17         started        19 3 other processes 8->19 signatures5 process6 signatures7 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->54 56 Overwrites code with function prologues 12->56 58 Hides threads from debuggers 12->58 21 rundll32.exe 3 15->21         started        24 WerFault.exe 5 9 17->24         started        26 WerFault.exe 9 17->26         started        60 Tries to detect virtualization through RDTSC time measurements 19->60 process8 signatures9 42 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->42 44 Hides threads from debuggers 21->44 28 WerFault.exe 20 9 21->28         started        30 WerFault.exe 9 21->30         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440/
Threat name:
Win32.Trojan.Casbaneiro
Create hunting rule
Status:
Malicious
First seen:
2022-01-14 19:24:55 UTC
File Type:
PE (Dll)
Extracted files:
37
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
42054b960727fbd72bde57e8903881e4239e9500f1160ca298e10a1b438698a8
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
a62e1a866bc248398b6abe48fdb44f482f91d19ccd52d9447cda9bc074617d56
bc458042cf51dca5781a9e1da79b5a40103dcdd3b12496321cfdaf13ce85c93c
cfa9c1d8b0ea8b947b89c01c9cbb87a70161a528337e5af00e855a70d350f22e
e14e8fe43636dab896cbb6f65e3389e41f999f1a52e813bc5469d8ed61de1aae
fb2604c4774fabb3c38cdaa40c46cde673cb98ac2bd58c46fc9a447849aaffb7
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/220114-x4hj3saba6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
VMProtect packed file
Unpacked files
SH256 hash:
479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
MD5 hash:
7854d9da27486d8a529fd49afdf30351
SHA1 hash:
320d2ad61c673ec7a386ff4df1220d6cf7d5bd47
Link:
https://www.unpac.me/results/f2df40a0-e37e-4fb7-bd0c-6d0ed08e43ae/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Metamorfo

Microsoft Software Installer (MSI) msi 59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b

DLL dll 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440

(this sample)

  
Dropped by
SHA256 59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b
  
Delivery method
Other
  
URLhaus
https://urlhaus.abuse.ch/url/1978413/

Comments