MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88
SHA3-384 hash: 13d7ad86259c6049530c459488da5ff68edafde97624e1bf123c34ccb8e64e21c43a3d36acf4d93c1ed27bdf3d2b4d2f
SHA1 hash: 803c032ddeb9bcb46d828cf6bdc989d1a25cc660
MD5 hash: d52448cb39e67d27dae28f60906affcc
humanhash: bacon-aspen-georgia-charlie
File name:file
Download: download sample
File size:49'664 bytes
First seen:2020-02-27 15:44:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 768:ULvM+2O7Gel5quISq41ET8n7efFKuaAu4ycpV0byA8Bw4/xv5fS5:cCvel5HnqDY6f4vBcpsraW
Threatray 17 similar samples on MalwareBazaar
TLSH 85237E72E99190F9C76325F016CF363996AEBE2034E61A9EA3895E031D705C3772F163
Reporter johannes
Tags:parasite


Avatar
viql
parasite via https://pastebin.com/raw/eq02qVMc

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.HLLW.Autoruner1.14959.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Parazit
Create hunting rule
Status:
Malicious
First seen:
2020-02-21 00:24:48 UTC
AV detection:
28 of 30 (93.33%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
1e123a6c5d65084ca6ea78a26ec4bebcfc4800642fec480d1ceeafb1cacaaa83
6b85fd7249ceaf4a88f71ad1becb27b9c9a17b1c1bd2cb75f25cdc7b1318785a
88abb1fac4a77edb76cc29e112111e658e66eee14f1eaf19290739ec06b88090
a50f9170ee444aa88d99e2215f2ee8c1c7d1c9b93f686ec403e34ff16b585b86
b5976c55670c484ababd28736f50e297c3b1b57f1580d26f5fd1ecf60332a11c
bb53f47b4c6693ad29934983c001471b82827f659a724c97e2b1d13fd158fd34
ce478fdbd03573076394ac0275f0f7027f44a62a306e378fe52beb0658d0b273
e127b93395eb2d0cf5b3b1e43257b342fb51f7b68e55615aed0366c2d313b875
ef0116d9f61a26ad233dc3edc1990eb6c83b0398a593c65ef19f106008892eee
f7e6d70e5553fb8c221304bf51126f457d4825194c4ef4f98915b28eb9942326
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201109-fy6n87k9zn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Checks BIOS information in registry
Identifies Wine through registry keys
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_parasite_http_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments