MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4eddae6270bea0e72b01601a5d5b186a3abb162239463eaeb67d9d95cfd7cc8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4eddae6270bea0e72b01601a5d5b186a3abb162239463eaeb67d9d95cfd7cc8b
SHA3-384 hash: 43ac0a771dd821646ef2b4fb8a2284cd8fcc9130a19535c5c6479d4ad7e63af9ed5d67f89e3cce8ad28404184c0684ec
SHA1 hash: 1ba9ed13b528c63594dac92f250ab3026deb6504
MD5 hash: 024e33b8a7f7c5a5791d00422ed4a21a
humanhash: summer-ceiling-harry-nineteen
File name:SecuriteInfo.com.Variant.Razy.561913.3044.10881
Download: download sample
File size:2'430'765 bytes
First seen:2021-05-19 06:41:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32c5605c17ed8c33b7bc669a699350af (1 x Sality)
ssdeep 49152:zmXFi6yPDfF+8urikt72tkYQ4i9c4xbxlzWRR8dLM0bRncWzb:CXjGfFvaELiqRmLxbRc6
Threatray 1'348 similar samples on MalwareBazaar
TLSH C6B533498FF27296C5F05BF112EF32E8ABE39515DE89B3709C10090A3E8AF74F556660
Reporter SecuriteInfoCom

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Variant.Razy.561913.3044.10881
Verdict:
No threats detected
Analysis date:
2021-05-19 11:03:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dbf6a9bc-7fa1-4b2b-80b6-40413657b156

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158381/
Detection(s):
SecuriteInfo.com.Variant.Razy.561913.3044.10881.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for analyzing tools
Searching for the window
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/784612
Signature
Antivirus / Scanner detection for submitted sample
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-05-18 09:08:54 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
267adb8b92c06ae53186fc26b40caf4d9e1ae4893475b2d1d8f29b040c67d9b4
3aca81cf13b507c90fc184e9ea9712c394b2e6847ede458f9d732d4c71d7432a
546e5320773891c160621ec99d48fb4d90d6d58bc26ab01d7e5a3f16fec9636c
8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
a09ce48399c1819d7f6f78cebe566fdb7ef54e80a567110aa54c8142d6e1d5c2
a1d1febdafdc6b6f86d0c8949ee4e34157fb1e5cea1ff7d63bdce0900a3478b6
bf375d5c15abb5c57b0cc3371a3537b79560fe82b1aff486afde752e05971ebb
cc53accc69b32c2507210ea70d1d56aa84dbe354a7f79577df180179ea797427
f05d76c071555f48ff240556f6d0d3d895493c3c411e182648d256f83ad657e5
+ 1'338 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
themida
Link:
https://tria.ge/reports/210519-8qmtvwey4j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 4eddae6270bea0e72b01601a5d5b186a3abb162239463eaeb67d9d95cfd7cc8b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1254414/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/158381/

Comments