MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
SHA3-384 hash: 742d774b2ae488fc40d15e807f1f842af39fdd71031f4533f8fa82ed874084db249fe360893a134a62a2dfd4dc48f1ec
SHA1 hash: cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
MD5 hash: f4e7e91d4fdda2d3feb401b5b1d53abf
humanhash: friend-football-muppet-single
File name:Dijouh_Payload.bin
Download: download sample
File size:61'952 bytes
First seen:2023-03-06 23:22:28 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 1536:IHgLs7Z0RQtJTAtTrSqMFX1y5pzHhlquX/S1BokV:IHgLO0Ctd0vMFX1wflZSDV
Threatray 45 similar samples on MalwareBazaar
TLSH T18D537C8C67EC9F67CE5D8AFDF0B122A107F484356B83F7566D41502A69933F280229DB
TrID 88.8% (.DLL) Generic .NET DLL/Assembly (236632/4/32)
3.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win32 Executable (generic) (4505/5/1)
0.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter asukiko_f
Tags:.NET dll dropped Smartassembly

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/372119/
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/640675d7660450d9feb93bbd/reports/74c4a09a-119d-484a-9828-4e6e2fff5530/overview
Verdict:
Suspicious
Labled as:
MSIL/Injector.WCK trojan
Link:
https://www.hybrid-analysis.com/sample/498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8282ece-13d3-481d-b56e-9ff2f8fcc410
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/1188239
Signature
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 821115 Sample: Dijouh_Payload.bin.dll Startdate: 07/03/2023 Architecture: WINDOWS Score: 22 15 Machine Learning detection for sample 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jggaiyg2e3h4frhmsw43hff32pnxdg5artf5lfskkm54sadnz6hq._file
Verdict:
unknown
Similar samples:
0bc4886cebbde3d4a932203fa8596540269e0c92bb20cf2f8250f063c43798b8
1423788877980fa99958ced2f1cf34f6a6deede1222d0873c2bca4221d051770
59849ade722e0ac68e1105fb13ad623c8cf5b5e44fe325e5239f470195bfe7f9
7d0f5a98613789c1f2ca5370d85e9b30348da8ce282ddbf9c5e53b1d3a05022d
8197e71791a36b364c735addbf05c9533530aae40f1c4d124d7ed098705d2a2f
8ec589783ee99df7f41c722cd5e082a377a24d8e0f26121ade720132e09a574e
96438df4cd911e468ec9fdad3922c0c3e223c7c6e0524f01420b920b3ed642ed
a1d126c990df36226ff12128ae946915fcf3d931564c03b7f0a5ec18297e38fc
a905a0785d3fa357974e3f94754c6bad02bdbfb4083fb5509161523c5b2ffb56
f7626ca5799f9bb0842eb33d0c870ab943abed8eb6882dd11b4e741fa6453f25
+ 35 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/230306-3c4wwsfc83/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f
MD5 hash:
f4e7e91d4fdda2d3feb401b5b1d53abf
SHA1 hash:
cf9e76e6418850ac853bd9c6ce82a0be7920fc1d
Link:
https://www.unpac.me/results/55cc0f1e-3e53-4c50-91fa-2bda644102c6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly

File information

The table below shows additional information about this malware sample such as delivery method and external references.

DLL dll 498c0460da26cfc2c4ec95b9b394bbd3db719ba08ccbd5964a533bc9006dcf8f

(this sample)

Loki

Executable exe 89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

  
Dropping
SHA256 89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7
  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/372119/

Comments


Avatar
Asukiko commented on 2023-03-06 23:24:40 UTC

Dropped by:
SHA256 - 89c9935b305ddc218ccce08c0676176e0c8be511b15f9fa9af9a7560c76560c7

When you analyze this sample, this use Gzip and other stuffs to load it from memory, resolve string encryptation from Smart Assembly before continue.