MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824
SHA3-384 hash: 357cec47a95fa11c3425ef1d4a12725fe3344d75c103407c871e720627a7e04118ff52b7e13eb42ce00a239bf1162413
SHA1 hash: 5846e13d09a03fcd87a354d2ac309782bfe6cbcc
MD5 hash: 8062878d5d1560c72c4043058d81261e
humanhash: mississippi-echo-artist-thirteen
File name:8062878d5d1560c72c4043058d81261e.exe
Download: download sample
File size:169'984 bytes
First seen:2021-01-20 14:35:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6ed4f5f04d62b18d96b26d6db7c18840 (225 x SalatStealer, 78 x BitRAT, 42 x RedLineStealer)
ssdeep 1536:3yF+FO8Lv1wwxC42kTIue/JFbpvs25HQ1YPimQ7Myr6skYzZooo17JHJV4CFRjnz:C8LdvszlBFr5HYt5kYFovNpXfQ+c+
Threatray 953 similar samples on MalwareBazaar
TLSH 4CF3E070EE4CEC8FE4572C388E6137CB65A8A9532A45490FEE1F3E29AC3C29C14D525D
Reporter abuse_ch
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
http://dl-link.network/dlsock.exe
Verdict:
Malicious activity
Analysis date:
2021-01-20 12:19:38 UTC
Tags:
loader
Link:
https://app.any.run/tasks/6b4e3318-3801-41b1-9e9c-5512f2b9c013

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113121/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
DNS request
Connection attempt
Sending a UDP request
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/586354
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824/
Threat name:
Win32.Trojan.Ranumbot
Create hunting rule
Status:
Malicious
First seen:
2021-01-20 01:55:48 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
003bd2ca89efc808a6f5e607f1d19c2d5ca1d629dfef3f324a9fbea0ce933fd7
8d72fc855462fac8cbd62a30953752da1160ee677872cd15ee0331c5cbff6618
9356e204a3bab01044003d58937be31f0edfae7ea5c790916178ce1a8d6173ff
9c7b166c818edf7bda6a112376c7bb20dd704ac9eb74be1d387af077a82dc620
a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de
c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499
d28966990ec27ae9250c919dd814cd1862e9e0e6b6f31a5418ab58de8ebe446a
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
efdc1489d1024ba19acaa9a86fb0750446896947a563e6d89739254d8250a932
f57aff01f0d6a36bddeb8e7bbf8b33874c47a58d7827399c823424866aee33dd
+ 943 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210120-p8dyjwj4ds/
Behaviour
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Unpacked files
SH256 hash:
f52316141eded27419f33c75b90721cb804cc43b7c3acdd15c964393fcefa740
MD5 hash:
c2d7d659f625160593ade0ccca633e26
SHA1 hash:
53406f956ccd2bbf8295e7f97f3c9a170fff5402
Link:
https://www.unpac.me/results/b80936cb-512c-4097-ba1d-40dcaddcf4a0/
SH256 hash:
034b29db362440bc652b5ad6652e5b7d57a95615b466a854d3b4ca0a191c1084
MD5 hash:
dd75839d71cbf5013d05f2ac0aa366b8
SHA1 hash:
d4822c3eb6d1b2da8ddf333da989085a80fdcd91
Link:
https://www.unpac.me/results/b80936cb-512c-4097-ba1d-40dcaddcf4a0/
SH256 hash:
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824
MD5 hash:
8062878d5d1560c72c4043058d81261e
SHA1 hash:
5846e13d09a03fcd87a354d2ac309782bfe6cbcc
Link:
https://www.unpac.me/results/b80936cb-512c-4097-ba1d-40dcaddcf4a0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/972367/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/113121/

Comments