MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4958b38f87f76e4d9345736b410d30ede5aea42bac171e1e2cbd94d1f9856db8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4958b38f87f76e4d9345736b410d30ede5aea42bac171e1e2cbd94d1f9856db8
SHA3-384 hash: c239f21dd824da5a536ba9977a65da562ded95f79d48f6a33b302a2245683c11145193065ec6abf307694d0e462aea0e
SHA1 hash: 117b59574ec70447f9c89182658bb0ea36ce487d
MD5 hash: 48df567ad35575ccc941c4200bba72eb
humanhash: low-hotel-magazine-louisiana
File name:Ex.exe.bin
Download: download sample
File size:939'008 bytes
First seen:2020-12-02 12:52:57 UTC
Last seen:2020-12-02 15:02:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32c5de998b5f069b26c94c8143b13c06 (7 x DCRat, 6 x AsyncRAT, 3 x QuasarRAT)
ssdeep 24576:SG/LK3/lltayuYdzVkYB9r2NIxytD4tDIx8JWJHFqe:SGT+97aadzq49rGIxytD4uOJWSe
Threatray 1 similar samples on MalwareBazaar
TLSH 51151289EE682637D1AB1AB0A85358DCFAF44DE11A7AC6FF07D14394B2313F51136287
Reporter Anonymous

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106390/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.13248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/553550
Signature
Antivirus / Scanner detection for submitted sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected unpacking (changes PE section rights)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4958b38f87f76e4d9345736b410d30ede5aea42bac171e1e2cbd94d1f9856db8/
Threat name:
Win32.Packed.NoobyProtect
Create hunting rule
Status:
Malicious
First seen:
2020-12-02 12:53:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  1/5
Verdict:
malicious
Similar samples:
cdc410fc7ec76c6fec7439539c0c459a71ea6ccc0f8c434a278ceb20705488f2
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201202-rrsb1w73z6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Deletes itself
Unpacked files
SH256 hash:
4958b38f87f76e4d9345736b410d30ede5aea42bac171e1e2cbd94d1f9856db8
MD5 hash:
48df567ad35575ccc941c4200bba72eb
SHA1 hash:
117b59574ec70447f9c89182658bb0ea36ce487d
Link:
https://www.unpac.me/results/6c1c4f33-0e0e-4c10-bf73-a79a267fe4dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Amtar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4958b38f87f76e4d9345736b410d30ede5aea42bac171e1e2cbd94d1f9856db8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/106390/

Comments