MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
SHA3-384 hash: a8b3fd515dbfd1adad5e34da0929dc9785ac90c634de3f382ff9e96f2be9c9a320995a1ccddf028750efceee55ac750d
SHA1 hash: ce3dd7f9fe5e4fb95b68a09f0edac91c52e51b00
MD5 hash: b28aa40baaf219c8b02afa92bc03010f
humanhash: magnesium-carpet-wisconsin-vermont
File name:4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6.dll
Download: download sample
File size:118'272 bytes
First seen:2021-09-23 21:48:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:QC4O+UN3jDoK4Tcg36R40pv0nzS+OM3i0uM:QLO++jDoKRJpMO+OM3QM
Threatray 9 similar samples on MalwareBazaar
TLSH T106C3D0D97E0CFCEDCE421B348462284716E0B9696FA15FEFDE5C20BDA6E12E51036251
Reporter Anonymous
Tags:exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
malware.malware
Verdict:
Malicious activity
Analysis date:
2021-09-23 17:48:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7763ecd5-6cdf-48aa-bf71-30cefee1f762

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190909/
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/9c63cfdb-2563-414c-b5ac-78c3f5ab5966
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/856951
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 489381 Sample: 6rOzFiIJRe.dll Startdate: 23/09/2021 Architecture: WINDOWS Score: 76 68 Sigma detected: UNC2452 Process Creation Patterns 2->68 70 Sigma detected: CobaltStrike Load by Rundll32 2->70 10 rundll32.exe 2->10         started        13 loaddll64.exe 1 2->13         started        15 rundll32.exe 2->15         started        process3 signatures4 74 Uses cmd line tools excessively to alter registry or file data 10->74 76 Writes to foreign memory regions 10->76 78 Modifies the context of a thread in another process (thread injection) 10->78 80 Injects a PE file into a foreign processes 10->80 17 cmd.exe 1 10->17         started        20 cmd.exe 1 10->20         started        22 chrome.exe 10->22         started        24 rundll32.exe 13->24         started        26 cmd.exe 1 13->26         started        28 rundll32.exe 13->28         started        process5 signatures6 66 Uses cmd line tools excessively to alter registry or file data 17->66 30 reg.exe 1 17->30         started        32 conhost.exe 17->32         started        34 conhost.exe 20->34         started        36 reg.exe 1 20->36         started        38 cmd.exe 1 24->38         started        40 rundll32.exe 26->40         started        process7 process8 42 rundll32.exe 38->42         started        44 conhost.exe 38->44         started        46 choice.exe 1 38->46         started        process9 48 cmd.exe 1 42->48         started        51 cmd.exe 1 42->51         started        signatures10 64 Uses cmd line tools excessively to alter registry or file data 48->64 53 reg.exe 1 1 48->53         started        56 conhost.exe 48->56         started        58 rundll32.exe 51->58         started        60 conhost.exe 51->60         started        62 timeout.exe 1 51->62         started        process11 signatures12 72 Creates an autostart registry key pointing to binary in C:\Windows 53->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6/
Verdict:
suspicious
Similar samples:
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
508a816001e6d2f7b6617d9009e97c533d02d366055dad4eb17a9ee38915fa4b
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
627219a8c4acc280da7a247fe4a6eb5f10e38a0f96bb31e11b6b22d0e616cc0e
8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
b0912554158dfc4bad48096f61b9312405ee97e802447fdfa52ed64ee4bf023d
b23360e8388e32799d7ffa2e427131a8d5d9aa0dfa9c46c1392c1de9032be54c
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210923-1pcbasfcar/
Behaviour
Delays execution with timeout.exe
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
MD5 hash:
b28aa40baaf219c8b02afa92bc03010f
SHA1 hash:
ce3dd7f9fe5e4fb95b68a09f0edac91c52e51b00
Link:
https://www.unpac.me/results/f14ee148-c45a-4531-8b6c-3ea0d912d7fe/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.54
Link:
https://yomi.yoroi.company/submissions/4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190909/

Comments