MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Stop


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d
SHA3-384 hash: 7bf455c5af89438f307dc926fe14dbb0721431822da4277c96aa953c51744fb3fb1111ada903bb7748ec88d57d5f7ef9
SHA1 hash: 905991e3483187cad6d9dd51cde2a3a4ac168e62
MD5 hash: 0b5606b5bd61d8026fbcf1a217248485
humanhash: idaho-aspen-arizona-leopard
File name:A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe
Download: download sample
Signature Stop
Create hunting rule
File size:792'576 bytes
First seen:2024-07-24 20:04:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f3e2f2b52a9345b2bd8582942ee5c776 (11 x Stop, 7 x RedLineStealer, 2 x N-W0rm)
ssdeep 12288:ql94y1dr5PGO5XO9zPJeVV+3hLQlzLYBcPs91BlpFIZVQpxiMmwBnV++ic6/B:qT40RBxXO0+R829XlHpxiMDv++ic65
Threatray 1'602 similar samples on MalwareBazaar
TLSH T140F423E228610836C0471439B871FBC35EADB9221AE178A77BAE91377C709C45EF7365
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 5c59da3ce0c1c850 (36 x Stop, 33 x Smoke Loader, 26 x RedLineStealer)
Reporter Anonymous
Tags:exe Stop


Avatar
Anonymous
this malware sample is very nasty!

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
CN CN
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Virus.Wapomi-9802127-0
Create hunting rule

Win.Packed.Ransomx-9942356-0
Create hunting rule

Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Win.Malware.Wapomi-10020301-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a15e76cb3d02fa0e49596f
Tags:
Execution Generic Infostealer Network Ransomware Static Stealth Stop
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Changing an executable file
Creating a window
Sending an HTTP GET request to an infection source
Unauthorized injection to a recently created process
Restart of the analyzed sample
Sending a TCP request to an infection source
Modifying an executable file
Creating a file
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Сreating synchronization primitives
Deleting a recently created file
Query of malicious DNS domain
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Infecting executable files
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint lolbin microsoft_visual_cc packed shell32
Link:
https://www.filescan.io/uploads/66a15efb4c5c17942a7d0eaa/reports/f5090acd-ce7d-4345-8e2c-a4ced091144c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
STOP Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e8631e9-6dd2-452d-b03d-b1d1779d5393
Result
Threat name:
Babuk, Bdaejec, Djvu
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1482697
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Found ransom note / readme
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Uses known network protocols on non-standard ports
Writes a notice file (html or txt) to demand a ransom
Writes many files with high entropy
Yara detected Babuk Ransomware
Yara detected Bdaejec
Yara detected Djvu Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482697 Sample: A9095F44928219267930271D2AD... Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 64 zerit.top 2->64 66 fuyt.org 2->66 68 2 other IPs or domains 2->68 78 Multi AV Scanner detection for domain / URL 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 14 other signatures 2->84 9 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 1 2->9         started        13 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 2->13         started        15 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 2->15         started        17 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 2->17         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\Temp\RranN.exe, MS-DOS 9->62 dropped 94 Detected unpacking (changes PE section rights) 9->94 96 Detected unpacking (overwrites its own PE header) 9->96 98 Writes a notice file (html or txt) to demand a ransom 9->98 108 2 other signatures 9->108 19 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 1 16 9->19         started        23 RranN.exe 14 9->23         started        100 Antivirus detection for dropped file 13->100 102 Multi AV Scanner detection for dropped file 13->102 104 Machine Learning detection for dropped file 13->104 26 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 13->26         started        106 Injects a PE file into a foreign processes 15->106 28 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 15->28         started        30 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 17->30         started        signatures6 process7 dnsIp8 70 api.2ip.ua 188.114.96.3, 443, 49731, 49737 CLOUDFLARENETUS European Union 19->70 44 A9095F449282192679...E5D3AA283D14764.exe, PE32 19->44 dropped 46 A9095F449282192679...exe:Zone.Identifier, ASCII 19->46 dropped 32 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 19->32         started        35 icacls.exe 19->35         started        72 ddos.dnsnb8.net 44.221.84.105, 49730, 799 AMAZON-AESUS United States 23->72 48 C:\Program Files\7-Zip\Uninstall.exe, PE32 23->48 dropped 50 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 23->50 dropped 52 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 23->52 dropped 86 Detected unpacking (changes PE section rights) 23->86 88 Infects executable files (exe, dll, sys, html) 23->88 37 WerFault.exe 21 16 23->37         started        file9 signatures10 process11 signatures12 76 Injects a PE file into a foreign processes 32->76 39 A9095F44928219267930271D2AD000C7B2F7F2616DB4AD186E5D3AA283D14764.exe 19 32->39         started        process13 dnsIp14 74 zerit.top 92.246.89.93, 49739, 49740, 49743 LIVECOMM-ASRespublikanskayastr3k6RU Russian Federation 39->74 54 C:\_readme.txt, ASCII 39->54 dropped 56 C:\Users\user\_readme.txt, ASCII 39->56 dropped 58 C:\Users\user\...\wctF86A.tmp.wdlo (copy), MS-DOS 39->58 dropped 60 61 other malicious files 39->60 dropped 90 Infects executable files (exe, dll, sys, html) 39->90 92 Modifies existing user documents (likely ransomware behavior) 39->92 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d/
Threat name:
Win32.Virus.Jadtre
Create hunting rule
Status:
Malicious
First seen:
2024-07-24 20:05:08 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jc5exd2nq4bz5yz4vqvpmkth5yp5tm5rwaxuwgb7pct4gjvu4qwq._file
Verdict:
malicious
Similar samples:
65fde5e5870f711e845eb74592c1bf784f68d6a7746101a9f6c27afaf4537e42
Stop
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
Stop
7fb707b6080c884faf366ba8e885c37e68ada8cd96bbc4897a7df0ab00c17270
Stop
bf771de1c2a064ca7acf4cecbeeb6a4f23895befc680a76747f8a7c7c7c3d80c
Stop
df4cf6f6be06bfd7eaf23bffc9c16639573228bc72fd6262352a242b5bdf2080
Stop
+ 1'592 additional samples on MalwareBazaar
Result
Malware family:
djvu
Create hunting rule
Score:
  10/10
Tags:
family:djvu aspackv2 discovery persistence ransomware
Link:
https://tria.ge/reports/240724-ytvbkavbln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
ASPack v2.12-2.42
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Detected Djvu ransomware
Djvu Ransomware
Malware Config
C2 Extraction:
http://fuyt.org/test1/get.php
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ac7ded24-cbc6-40a6-b92b-e2dedab1aeec
Unpacked files
SH256 hash:
af6b33f859593dcb716c81b1416e52ad8cdf8e7a36662893ac3be277f9805430
MD5 hash:
5262fd9d36dba4cbc654a7331d3f684d
SHA1 hash:
666f465de6a152f2e005d00d6fcc937c89ec0af1
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/2dca9159-1df7-41dc-8b3a-3b379521d871/
Parent samples :
9f9c835122ff42d9777bbe0ecc066c53bea50721728d4f0473604070f3ce295c
a9095f44928219267930271d2ad000c7b2f7f2616db4ad186e5d3aa283d14764
17c1844f37315d9081efa1c39abcdb3612c531dcf01c303425346dd352a3b117
b7529c27c65c9f3cd9ddce5c6c8c193d258e8f54d8c11e9db618feec3cb9258b
d932dbe6a5be50d4668037cd66420fc424de0b57368ed6fc8a1d249f4d6d1e10
fc0d639c0918938bdf00fa6f1dc4bc03002c328428fc34a34b050aee8e3beb8c
8435fa985a445994ae3b8134721302ecd6dbfa29d1052eb8471721649ab1b522
e1be354a31a340c3ebe7bf14ed0fbbcb788a47190b253d05067e9e8698c25698
f8db10513db12a4bb861d7b1f52e56f5de5f5dba7614fdee3db67b191fee85c6
de1bec11380a046d35656cb592a399445a6deb5934a2892dcd5dac3d0f61c55e
1a08fad680a026c1168055baef403eb4aa36ddfcd6b96ab9f277fa120a360977
3f47e5ae4e51db104552e401e1627716e84ecf49a18469afa36359eaaa27455a
1edff28923d68b2853d4fb78ac673c6ed4c6d00a1f6c53e160bb717a0906145b
3ad17c55ff82d77132b6540e1053baeffc4c47f98a23c52bf5d88f0378b15371
5a4d3971664541b367066e6428098fb891e68b3a6fe0b8df52e66085cc764d4c
5ec2a6f1692c51a478c33c800cd12a1237de2c1dfd4e6a1982fdd05b23bd69d3
6bee8cdba2850877e705cf6412545e2e321339d39d4b2639864ebc4f4d5a340a
6bf8a626df0fcdfc44b1ea3401b1749c3effe848e549eb7e20d7216c23a5f023
7c192e65c2e3b074cc0d5f23c219aa06a765c3fbf9ab35eb99009e9d90687127
7faa3c5a451101caee04dc8275d9269d41cc73b5c042cc338e33b654b7f0924b
29fa88d3a26da9c979c5c10df4a0bf9d2a972fad38624200ffe80853455711e4
26da4bf440b1709fe00d64826185ee8ef62a5885bbfc8c835511b7202865adea
31b6af9b32727f5c93fa714da47cae02d7fe019bb99ef04c9bb48a316f3096d8
55d8c8e92a1efdffdb85ec2276d9c4e215c1a43b077360c20f108e425a5fa437
75f80da9276c13fc3d52974382c19f2d75dd40756b9cb6186ac08e056f2ce6b2
77f6b1419532a47164e324e6f2a68b57a35838c305a59415aac6c4452f9f8abe
122c593f41d588b3e7c72a499c092fed6b5e42264fb0651962061f7b4bb722f8
274f789229cfb721debcb8538e1bb6c7dc538d1afa74de51173343c6e030ecf0
660a52ecac1016144f8f7f9925a2c023e6c1c103a6c423238962a0d79b44c80b
4012bc4dd89fbf7eaad5214623cbcfc27a3c014d2bffdcc76ffa5dce704b4c4a
6395b1685411162de16f1720520350b2560992fe8158dc29c3d4bfcd35cc3a56
7406089920d8a814908b750d77fd224e3d27e84535ac6cc088d5a8f1dbd16e43
f02b45b579b65a1ea89f2d9443f2c1a1484dec0bc66591ff4d3ad6ce63d635aa
07be6cebf7cb6fec6e82da3e5855ffb5f0c5da5ce6ff0adfed897466b08387ad
76a97061aed8ee39ca3235b5f127df44cf9345cf5d95af10c9dbf11564b6549e
948ce483156ee498c5c9f12c052cbbf5125644ebd0c783d2831d551d148a8e6f
951f935a4d635364d6600071b51b60fdbb88f1963799357118973ca9b6c7d945
5997cac695f141c41240d248fc991e41122fe77fc345c7bbb73145fef81f429e
072358a173e1a843310b57da93eb0bb4a9f30489415b162de5fc2ea9e876bfff
e1331f18cf6e141b8659680fbbd58360597732fe21e9aa8906806d7d6de117f5
e557171e821568f59ea764731d05355e714eeb14019ea3cdfdfb7f427775ded7
f7b3c3137aa931a3ec93978f41edb88499f236f9759208e74fedf6a671c748c5
f9bd66fea33c2697c57b852a24c4e753fc52c43afae5eb5da4682053fa703139
3371e19ad7bdfd3c3ce5a63dd4105541a4c4a36a45760dc51da17ea2d41c3f69
6465e8cab5f5bff0e50c8a4d36c66fda4317584e166934ba315c51ca5c707618
8674c9ccf72e58a699642780869eafb33e39f150a8e4cb59c8d9d2e16986e0f0
a19bb352dd1f5f9c0b274718bf5c0b9a4889806571f0d982cdc9a5b9c3f55e28
eb3ab00a77c29d2846eebbb87f1837a48974d865e2d3bd0297c41c6cf118c741
f6eb0bdb2eababb98448c6acfbaea9d4a923188f5ae96179e0dee676a46cab15
f9d6979412439098e68e27f6e0cdaa3b7c41008376a35a0c6d498bcb4dc31169
88255867cebe9b14735d4c76285954c9603caf4049de9c55030d913cdacd67f2
faa1947193b79a891cf9a2c0bab81e4b96a201e4107c7a4960fa7f864f991cf5
eaba36cd0b2f1d466f2dd6c5cfe99e169b48e830cc6a3e048fd7c97158ea834d
cd3906a284a4c8b87e7fa8162a059dd893acdde7d44ee4991a43b5c3b67b7b56
d796df8e7ea24a1076fcb5ec457e0b0c14219905fd34bf8d8761a6d2b1c546f9
ea7188d459b48987f6cd7e3f23b420024748168812a084c60a8be5407344894a
00f34e84ff75283bed87c60a481ebb17f1909b94b0fb16009ae6b8bd30e9d446
5fd67e4b1a89e08aa02b8bf4af770eefac4b25f55081ed9ee2c21adcca23547a
9a488082120b56a0b294807e6b62599ce8a432533c57110f66c9e4223f03b358
843f583cf4f78748dad55bf2a9265812283b31333b878dd9852f80a8051dfe34
2084f6652ba0078d12b6d929b05b27948587c8e7113e187b28adba6b95f87741
853019600fa809d432cfe1b381078d1371c780494fafedf3dcebe7129f502576
ba63e0c94bf44bff7df015864e9e30257018b4a59a1ec6f42741e1a00d4043a4
54bd7123dbf17dde4e0c1e7d40f756988ba7577d039397c45ac15c766d4d7b2b
80628757406344d2053361607f9b117cceccdf7f906a4c87f17fee06e01f2026
c4af7a91c2a2306fd088d9edc3f7f2a96472f5397d62ae628653e510109a8a28
cf768a979f38ed8a623cfea619e3d86dbd52244a80c075f4ccb8a4f3e69867d3
46d9afd6bded40cce91aedeb42a534cb65852667b6176eb924b8bc80094ca956
79a45215fb18155b4ce7d6d4cde5351b7da9d25b0850431fd7f1b8373e9041b8
379adf36c2cf8f91ca2490e4d233bc9d1d89c5444fcd23378d8978c8b473e793
41de03ca89e7bc4f66cf30cc7223eabf25ab4af29d41738afe1fb26b105be66b
610cc309ef1470210e8cac4b9e275ca08d1aa5253b3855b423b5625c835538d5
6c8b6cc6dffcecac3efb9091bc2b6922d413e6b1b235b00141df69c541ce1857
874e3b322e52f6db4567ff2fe844e0db53d12c047aec4d2b94079967590be6f3
04181e992f1c21b2f8bf8a9d97f100b467baeb7a8c2eae815c190214b78cd95f
ec68ecb76f9de88508168f3182139391aac1f1ef611dcdacab1f48c4e01f4ff1
c2a9c90a2187e7f04f6b822fd154e207f9cd1a2f3868ecfd5665a900c2e975df
d0430be4b6ad4975b374c0a6374f13f9bee4f7a6e4354fe8cd0fd680743aada2
0f2b11270a5c77377343e285285d4b4d529d34d2a8bf7d077442cc0b70985f68
37e82053ad87813e558ca979c998dd7689f665b0b666bec79bae320a8f51f751
8263b30538813ef7975b89a1e5c3fead8b51553655d48a0e371afc372e968c2d
34dd029dffa207f22de0cfe7ddab10bddc6e147d2be76eea1e72f9ab3423da37
0dd844d7e7b1737da39d1fba95f66a2e94470c04f4a94ae1c801406964cd1962
16983261c002fca9b06fe65551349aefc77e80c7dc5d17a97b63b82fec29fcf8
db7d95d3153dbd69648e3d1cc6c1addc0e54e878bc9683ecad0ccdd110e8eb16
40b6d94441d08df4d7b6838c3ae112308ee5a6add4149a05e6dabef8bb0cff1f
94a51cf8ea8c4b965c47346160f237e180bafd3314814aa417036a9557c35c82
c91a690094339dbfc9a00048e5c97f7d4f099987e8a9b0082b3f08e06402b161
caab3bd04172cc69865a19c2644fccc85ede63755549e81087eab6b71f979b06
96c4162c5c26be0d16772ce9fc264ba17fc045d441b17cc235c0f421f1218783
786bb21f95e657b07a7bfb151e4e0d0f27fe443ac855e467e9b7d3fa643c62ab
91dcc81e8257de71a0d162f5b02654ce2895518a08112bb8c0ef764d575f1b99
65fde5e5870f711e845eb74592c1bf784f68d6a7746101a9f6c27afaf4537e42
48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d
bd6d17b6695360291ff23bfe1417ec8413d9ff11b7db8a8475c248109506a09e
da0197bad20f02cc3ba3518daa460c3d40ced2349abecb67311647e0aaf870f3
e565c0b80462bd207d991cb9d9fd34c9d72b45e4696797f9d59f0e153b3a54a9
d247789cfeb8efdf3a061250c65767fe50764a414fa81ff276df0bf0d134ce47
72f533453a36b4608bb4ccd6a8d534fcb05d7d51a55420b546defae752774221
202259937df72d3e7e341ce852a48938616e0d98a091d976f5342bf82e132ce3
SH256 hash:
81b898b0f0db02467f48f2242554bc47476b89af93eeb4fdd45092187ef1fa58
MD5 hash:
d08d84f8e55f72ddbcffa2e073336696
SHA1 hash:
32d9470150942dacbda31cd642b55317f600fee3
Link:
https://www.unpac.me/results/2dca9159-1df7-41dc-8b3a-3b379521d871/
SH256 hash:
48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d
MD5 hash:
0b5606b5bd61d8026fbcf1a217248485
SHA1 hash:
905991e3483187cad6d9dd51cde2a3a4ac168e62
Link:
https://www.unpac.me/results/2dca9159-1df7-41dc-8b3a-3b379521d871/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Stop

Executable exe 48ba4b8f4d87039ee33cac2af62a67ee1fd9b3b1b02f4b183f78a7c326b4e42d

(this sample)

  
Link
https://bbs.kafan.cn/forum-31-1.html
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::GetConsoleAliasesA
KERNEL32.dll::GetConsoleAliasesLengthA
KERNEL32.dll::GetConsoleTitleW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryExA
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileA
KERNEL32.dll::ReplaceFileA

Comments