MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 532cedf1c9c50a145f7d4192ef79b5054e65ab3667cc0cef371f644eb68b8681. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 532cedf1c9c50a145f7d4192ef79b5054e65ab3667cc0cef371f644eb68b8681
SHA3-384 hash: c1f9760077c47477aa8ce30a9c46f8832b235dcfada92da137053be0a00b796897ad3fd8f174ac0ceb92cd16e68c081c
SHA1 hash: 92ead3813bf07fcc3b897f358b71d40a4c4d24d6
MD5 hash: c0b2a28fff2c9967f7ac76e6618e9d96
humanhash: kilo-sweet-zebra-east
File name:Telegram.dll
Download: download sample
File size:205'824 bytes
First seen:2021-11-12 14:29:03 UTC
Last seen:Never
File type:DLL dll
MIME type:application/x-dosexec
imphash dae02f32a21e03ce65412f6e56942daa (123 x YellowCockatoo, 60 x CobaltStrike, 44 x JanelaRAT)
ssdeep 6144:LnBnoSz4K2Dn/Vt63bZxCI5cAa8pGIop/cvR:LBnBr8n/Vt63b+8QkvR
Threatray 460 similar samples on MalwareBazaar
TLSH T14D14076D39069E91E3182577C1CB810803749D92A6B3F3577DEA326D5A067E3BC09ACF
Reporter James_inthe_box
Tags:dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/205314/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/618e7a31a00afa9663a52662/reports/a768e6be-03d3-4460-b9c3-977caf8b6df8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f09e5247-68d3-49f0-bfc3-1c2fe66a5b4d
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/888166
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 520639 Sample: Telegram.dll Startdate: 12/11/2021 Architecture: WINDOWS Score: 21 13 .NET source code contains method to dynamically call methods (often used by packers) 2->13 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/532cedf1c9c50a145f7d4192ef79b5054e65ab3667cc0cef371f644eb68b8681/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2021-11-12 14:28:47 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1ac6d1275df2a3c1c7331666e29259aaecc303f6be32f9248c3c6bc5d2638e55
23b916e5bb30f814e9819cf3499fe56820380b827b20f595022eabbd47267374
272f11a73d3b4df0108860fabd9a915694b21bb893e2a762abbc1c7176e8c095
28fbc35964c5a137d5e4bb2c770fbc6674d26fe478e18a0759e0647a44cb0d54
377d26a6588706b8cfe01190404beffb8ef5331e0bc5fe629cfd0683d590dd0b
5264cba383d033b281e0d9c097225f350fa4cb4aa910621638e79c8659ac4035
5f414a29ec7408e7f881a284752cac5b7f9645e9e6b406bd0f04f2e2a81d9348
8fedbb8266e526f159049be17d2a2564548a4557942dfd3d2988b1ef354267d5
e221a9a50a4c2492f5fbd710cddc97c63ea9247f6e6c0ba1893e12a9ca608395
ef0116d9f61a26ad233dc3edc1990eb6c83b0398a593c65ef19f106008892eee
+ 450 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211112-rtlk4adfc5/
Unpacked files
SH256 hash:
532cedf1c9c50a145f7d4192ef79b5054e65ab3667cc0cef371f644eb68b8681
MD5 hash:
c0b2a28fff2c9967f7ac76e6618e9d96
SHA1 hash:
92ead3813bf07fcc3b897f358b71d40a4c4d24d6
Link:
https://www.unpac.me/results/8251209c-e5df-4e0a-a737-da16c700ff59/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/532cedf1c9c50a145f7d4192ef79b5054e65ab3667cc0cef371f644eb68b8681

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:extracted_at_0x44b
Create hunting rule
Author:cb
Description:sample - file extracted_at_0x44b.exe
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/205314/

Comments